July 2007
41 posts
Alex Hutton: @mcwresearch: Well, I was thinking that “What Difference Does It Make” is apropos for Blackhat the past few years (via Twitter / Alex Hutton)
Alex Hutton: @mcwresearch: nah, you’re better off listening to the Smiths and reading the blog reports (via Twitter / Alex Hutton)
Alex Hutton: @BSAG: LOL! (via Twitter / Alex Hutton)
Information Risk Management Bookmark Group
Sorry for the lack of posting, hombres! Last week was crazy with seminars and travel and all flavors of lack of Internet connectivity. Short version of the following post? I made a Risk Management Bookmarking Group on Magnolia and want to invite you to join! Let’s get into “the social” and share bookmarks, shall we?
SWITCHING BOOKMARK SERVICES
One of the things that I did do last week was...
Alex Hutton: my brain hurts (via Twitter / Alex Hutton)
Alex Hutton: (yawn) (via Twitter / Alex Hutton)
Alex Hutton: I have more Pownce invites! (via Twitter / Alex Hutton)
Accuracy, Precision, And Threat/Vulnerability...
Hola from the Lone Star State, and Genuine Joe’s coffee shop here in Austin.
I’ve been thinking a little bit about “threat/vulnerability” pairing. You know the drill, go out, get a scan - match the scan data to existing exploits, and voila! You’ve got risk.
Now regular readers and FAIR practitioners know that I don’t believe this exercise gives you risk at all. In fact, in FAIR terms, I’m...
Journalism Logic Exercise
There’s got to be something to be said about “flock theory” and the Internet these days. Why can’t we realize that there’s a population distribution to just about everything, and that there are outliers? They really should have at least one logic class requirement for journalists.
Great example, the iPhone / Duke University hub-bub. Now before anyone accuses me of being a fan-boy, I have no...
Alex Hutton: My EKG, Blood Pressure, and X-Rays were all good. Maybe it wasn’t a heart attack? (via Twitter / Alex Hutton)
Alex Hutton: My friend Chesley Windon is Web 1.0 (via Twitter / Alex Hutton)
Alex Hutton: GTD (via Twitter / Alex Hutton)
Alex Hutton: If I ever get the time, I’m going to build a “theme” for Tracks (via Twitter / Alex Hutton)
Alex Hutton: Back at Panera in the CMH…. Gotta work that funding/SOW funk. (via Twitter / Alex Hutton)
iPhone Vulnerability Hype
Caught up with the “critical” iPhone vulnerability yet?
SPI is telling iPhone users not to use the feature where you can tap on a phone number and have your phone call someone because an attacker could redirect your call.
In their coverage, Security Mentor says:
That may be overcautious since they don’t report any cases in the wild of bad guys using this bug to attack people.
Let’s say that...
Rails on OpenBSD
My friend Aaron has a series of posts about Rails on OpenBSD. Check it out.
(via RiskAnalys.is)
Threatmeter.com Virus
Well, here’s a post I didn’t think I’d be making this morning. A few days ago I put up a link to a funny little parody site called threatmeter. Don’t go to the site. Mark went there today and Windows Onecare told him the site has the Decdec.A virus - Sophos information here.
I’m very, very sorry. If you followed the link, please make sure this site didn’t infect you.
Now I’m faced with an...
Alex Hutton: That kind of freaks me out (via Twitter / Alex Hutton)
Alex Hutton: Oh, and I may have had a little heart attack Saturday night (via Twitter / Alex Hutton)
Alex Hutton: Waiting for a plane… Realizing that Pownce is DOA (via Twitter / Alex Hutton)
Risk Assessment Is Not Guesswork
I love Richard Bejtlich’s weblog. He’s a very intelligent individual and if you aren’t already subscribing to his stuff, you really ought to. ROI is making the circles of blogdom again, and Richard’s in deep in it (security topics are like airborne viruses - they keep going around and around from person to person until we acquire immunity).
I know Richard’s read this weblog before, he’s had...
Busy Week
If you haven’t seen threatmeter.com, you really, really should check it out. Now. The rest of this post will wait.
Thanks for coming back. Sorry for the radio silence, campers, on client site all week with really long days.
Thought I’d point out posts with a theme for us today:
THE ROI THING
Ken Belva takes Richard Bejtlich’s pragmatism to task on speaking value to business.
In a...
Pownce Invite
Hey, I have one Pownce Invite left, and everyone I know is a Security Curmudgeon (or works in a bank or something), so I thought I’d offer it out to you, my Internet friends. First regular commenter to leave a comment on this post gets it. Make sure the email you enter into your comment is the one you want the invite sent to.
Pownce is like Twitter on steroids, and is all the rage with the...
Alex Hutton: I got Pownce invites… (via Twitter / Alex Hutton)
Risk Decision Making: Whose call is it?
I still occasionally run into a debate with colleagues over whether security should be making the major information risk decisions for an organization, or whether it’s business management’s responsibility. Rather than just spew my opinion, let me try to build an illustration of how I view the problem.
Picture this…
1. Risk decisions are the things that drive policies, priorities, initiatives,...
Alex Hutton: @daveseah: unless you’re really into video - a Nano. And it’s going to depend on the size of your music collection (via Twitter / Alex Hutton)
The “Insider Statistic”, Good Data, & Risk
OR, IT REALLY IS ALL ABOUT PII
One of the most hallowed statistics quoted by consultants and analysts alike is what I like to call the “Insider Statistic”. You know the one - a few years back somebody, somewhere, released a study that said 60% (I’ve seen quoted as high as 80%) of all attacks come from the inside. I’m not even going to bother going into the history here, as I don’t feel like...
Alex Hutton: can VZW evdo work with a Windows Palm? Let’s find out! (via Twitter / Alex Hutton)
Alex Hutton: Findlay Ohio! (via Twitter / Alex Hutton)
About loss
Before we get into the meat of this post, we need to establish a common definition for the word “incident”. At least for the purposes of this posting we’ll consider “incident” to mean “loss event” (y’all can use whatever definition you like at any other time – it’s one of the things our profession is best at). In other words, something bad has happened that resulted directly in loss. It does...
Alex Hutton: @wham - work. Then fireworks. (via Twitter / Alex Hutton)
Alex Hutton: do your warcraft orc impression there (via Twitter / Alex Hutton)
Alex Hutton: Work Work (via Twitter / Alex Hutton)
Alex Hutton: Wishing I knew someone with Expression Engine experience! (via Twitter / Alex Hutton)
Alex Hutton: off getting my haircut (via Twitter / Alex Hutton)
Statements We Make When We’re Out Of Touch With...
You’re out of touch, I’m out of time…
Found a quote through Dan Sullivan (via Mike Rothman) in his post “Compliance is Less Expensive Than Data Breaches” Dan’s post was based on(this) Computerworld article. The quote from the Computerworld article:
Implementing security is cheaper in the long run than having a data breach, which can be expensive and hurt a company’s reputation. Gartner...
Alex Hutton: And just installed Growl (via Twitter / Alex Hutton)
Alex Hutton: I’m not thrilled with the styling of the message box on Adium (via Twitter / Alex Hutton)
Alex Hutton: I’m tryin out Adium finally (via Twitter / Alex Hutton)
Potpurri for $100, Alex
We’ve got some really great posts we’re working on this week. I think you’ll like some of the content. This morning, I’d like to take some time and just point some stuff out.
First, I’m kind of bummed that I couldn’t put glasses on my Simpsons avatar (left). I also resisted going with the “fat” homer-shaped body - I guess I can still lie to myself
Second, my friend Rafeeq has a blog I...
Alex Hutton: ernie harwell eharwell.com (via Twitter / Alex Hutton)