Showing posts with label Information Security. Show all posts
Showing posts with label Information Security. Show all posts

March 19, 2017

G's Reading List for March 19, 2017

Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
by Dan Goodin @ Arstechnica.com

Using 3 different exploits in Microsoft Edge browser, Windows 10, and then VMWare contestants were able to escape a virtual machine to compromise the host the VM was running on. Impressive.
Linkhttps://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
_____________________________________________

Malwarebytes teams up with Cybersecurity Factory
by Malwarebytes Labs
Malwarebytes is proud to support Cybersecurity Factory, a 10-week summer program for early-stage cybersecurity companies. This program runs in collaboration with Highland Capital Partners provides teams with a $35,000 convertible note investment, office space, and dedicated security mentorship from industry leaders at leading companies throughout the United States...
Linkhttps://blog.malwarebytes.com/malwarebytes-news/2017/02/malwarebytes-teams-up-with-cybersecurity-factory/
_____________________________________________

WikiLeaks to Share CIA Hacking Data with Tech Companies
by Marissa Lang, San Francisco Chronicle
WikiLeaks will release the code showing how the CIA managed to break into phones, work around encrypted messaging apps and avoid detection by software designed to defend against cyberattacks.
_____________________________________________

Google Points to Another POS Vendor Breach
by Brian Krebs @ Krebs on Security

Another good thing about Google's site warnings.


Posted by at No comments:
Labels: , , , , , , , ,

December 4, 2016

G's Reading List for Dec.4, 2016

Some interesting quotes from a couple articles...

The Hard Thing About Safe Things
By Rich Seymour
October 12, 2016
https://www.endgame.com/blog/hard-thing-about-safe-things

Completeness
"This is an especially useful distinction for infosec, which often fails to integrate the insider threat element or human vulnerabilities into the security posture."

 Clear Prioritization
"...urges practitioners and organizations to step back and assess one thing: What can I not accept losing?"
"Treating unacceptable loss as the only factor, not probability of loss, may seem unscientific, but it produces a safer system.  As a corollary, the more acceptable loss you can build into your systems, the more resilient they will be."

 Resilience
"...the rush to place blame hindered efforts to repair the conditions that made the accident possible."  "To blame the user for clicking on a malicious link and say you’ve found the root cause of their infection ignores the fact that users click on links in email as part of their job."

 From Theory to Implementation
"Cybersecurity epitomizes the complexity and systems of systems approach ideal for STPA. If we aren’t willing to methodically explore our systems piece by piece to find vulnerabilities, there is an attacker who will."


Human Adversaries: Why Information Security is Unlike Engineering

"There are many ways to break down these differences, which I’ve summarized in the table below, but a simple way to think about it is that in the fields without human adversaries (e.g. building bridges) once you have found a solution, (make sure your cables can support the expected loads and stresses) you can standardize that solution and be basically done."

"In contrast, human adversaries means your opposition is adaptable, intelligent, and goal-driven."

Doing the Unexpected
"In fields with human adversaries, although some actions will be standardized, complete predictability is a recipe for failure."

"In information security, those who have conducted offensive operations know that offensive groups will never send an attack they believe will be stopped by defensive measures."

"...we have intelligent, adaptive, goal-driven, human adversaries. So let’s learn from the fields that have been dealing with them for centuries."

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)