Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for February 17th, 2009

Grand Central Terminal: The American Experience

leave a comment »

I watched The American Experience: Grand Central Terminal last night and I have to say, I loved it. The history of the station, the invention of Air Rights, and the photos of the place were great. I look forward to photographing the station more on the future. If you have the time, do check it out online.

Written by Krypt3ia

2009/02/17 at 10:53

Posted in History

Infosec Awareness

with one comment

posterie1

As Dirty Harry once said: “A man’s got to know his limitations” I found this today as I was looking for posters to put into a security awareness program. Not the usual fare and surely NOT going to be used by the client, but, thought I would share…

The Seven Deadliest Social Networking Hacks

leave a comment »

Here’s a look at the seven most lethal social networks hacks:

  • 1) Impersonation and targeted personal attacks
  • 2) Spam and bot infections
  • 3) Weaponized OpenSocial and other social networking applications
  • 4) Crossover of personal to professional online presence
  • 5) XSS, CSRF attacks
  • 6) Identity theft
  • 7) Corporate espionage

Full story here

Hmmm well, yeah, been there done that on the “impersonation and the Corporate Espionage” Actually, it’s a good thing to create an online persona for doing such work. It just goes with the territory though, the more you put out online, the more possibilities there are for abuse of your data.

Add to this all the XSS and other attacks out there that are browser centric, and you have quite the vector group for attacks on persons and entities.

Gotta love the “social” engineering!

Written by Krypt3ia

2009/02/17 at 01:40

Stopping The Insider

leave a comment »

Bruce Schneier on “The Insider Threat and it’s Mitigation”

1. Limit the number of trusted people. This one is obvious. The fewer people who have root access to the computer system, know the combination to the safe, or have the authority to sign checks, the more secure the system is.

2. Ensure that trusted people are also trustworthy. This is the idea behind background checks, lie detector tests, personality profiling, prohibiting convicted felons from getting certain jobs, limiting other jobs to citizens, the TSA’s no-fly list, and so on, as well as behind bonding employees, which means there are deep pockets standing behind them if they turn out not to be trustworthy.

3. Limit the amount of trust each person has. This is compartmentalization; the idea here is to limit the amount of damage a person can do if he ends up not being trustworthy. This is the concept behind giving people keys that only unlock their office or passwords that only unlock their account, as well as “need to know” and other levels of security clearance.

4. Give people overlapping spheres of trust. This is what security professionals call defense in depth. It’s why it takes two people with two separate keys to launch nuclear missiles, and two signatures on corporate checks over a certain value. It’s the idea behind bank tellers requiring management overrides for high-value transactions, double-entry bookkeeping, and all those guards and cameras at casinos. It’s why, when you go to a movie theater, one person sells you a ticket and another person standing a few yards away tears it in half: It makes it much harder for one employee to defraud the system. It’s why key bank employees need to take their two-week vacation all at once – so their replacements have a change to uncover any fraud.

5. Detect breaches of trust after the fact and prosecute the guilty. In the end, the four previous techniques can only do so well. Trusted people can subvert a system. Most of the time, we discover the security breach after the fact and then punish the perpetrator through the legal system: publicly, so as to provide a deterrence effect and increase the overall level of security in society. This is why audit is so vital.

The rest of the article can be found here

Much of this needs to be taught to corporate America still today. All too often they also think that by instituting all of these protocols and more, you can “stop” the internal threat. They would be wrong as Schneier points out later on, but, still the perception persists. Sure, you may cut down on this kind of thing, but you will never outright stop it.

Vigilance is key.

But here’s my thing. He starts off with the Makwana case. Ya know, the Indian guy who had all the access to plant the logic bombs in Fannie Mae? Well, here is where I get on my high horse. Why oh why did they give this guy, an Indian contractor, a guy from a country with a porous border with Pakistan, such access to ALL their important servers?

What were they thinking?

You have to take things like this to account you know, when you hire tech help from anywhere you must do background checks etc. Get a feel for who the person is and where they are in the head space. Of course this may not give you any idea at all that they are going to screw you, but, its better than not doing it at all.

Of course these folks at Fannie have never been so good at security. Surely their telling the guy he was fired but could work the rest of the day was EPICALLY stupid and a real recipe for FAIL… But, I have seen that before in other places. What are people thinking?

Anyway, Bruce has a point and I thought perhaps it should get some more sunlight than just the WSJ.

Written by Krypt3ia

2009/02/17 at 00:53

Apple fixes dozens of holes with OS X security update

leave a comment »

Apple released a Mac OS X security update on Thursday that contains fixes for more than two dozen vulnerabilities, including one in Safari RSS that could lead to arbitrary code execution and one in Remote Apple Events that could disclose sensitive information.

Also fixed are a vulnerability in AFP Server that could trigger a denial of service and vulnerabilities in Apple Pixlet Video, ClamAV, CoreText, Python, SMB, and X11 that could lead to arbitrary code execution. Another fix closes a hole in Printing that could allow a local user to get system privileges and one in DS Tools that could expose passwords to other local users.

Security Update 2009-001 can be obtained from the Software Update pane in System Preferences or Apple’s Software Downloads Web site.

Apple also on Thursday released Safari 3.2.2 for Windows, which fixes a vulnerability that could allow execution of arbitrary JavaScript in the local security zone. That update is also on Apple’s download site.

So, you hear that all you Macheads out there? Go download the patches because if you don’t you will be r00t3d! And lose that smug sense of security superiority will ya? She ain’t as secure as you think…

Written by Krypt3ia

2009/02/17 at 00:32

Posted in Cyber, Hacking, Infosec, Security