• Does the Mac have an edge against state-sponsored hacking? | Security – InfoWorld

    Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it’s a whole different story. “They’re pretty good for [protecting from] remote exploitation,” Stamos said. “[But] once you install OS X server you’re toast.” via Does the Mac have an edge against state-sponsored…

  • Exploitability Index | Prioritize Deployment of Security Updates

    Microsoft is helping define the importance of patches based on exploit likelihood.  This might fit with a risk assessment but it is unlikely to really change the need for rapid patching.  My question is does this really help you make a prioritization?  I think that with the release of a patch these indexes might change rapidly and…

  • White Houses Issues Online Trusted Identities Plan — InformationWeek

    The framework that NIST has created for online identity really needs ownership to be successful.  The White House should encourage companies to start a consortium to prototype the concept simular to the OATH consortium.  It would be disappointing to see a differing standards created that would not be compatible.  NISTs framework tries to prevent that but as…

  • RSA hackers exploited Flash zero-day bug | simplesitetutorials.org

    RSA hackers exploited Flash zero-day bug | simplesitetutorials.org. Advanced Persistant Threat (APT) used a 0-day for Adobe Flash and a phishing email to compromise RSA.  The exploit is now being patched but it always seems like companies are helpless to protect against these attacks without severely limiting functionality.  A couple products on the market claim to stop these…

  • APT Tabletop Exercise

    APT Tabletop Exercise. Kevin Liston’s post on table top exercise is much like a pentest but using an exercise to see how effective your defenders are against attacks.  It is a good idea because it goes through the phases of incident response (and the attack).  I might suggest augmenting this with a custom built attack using metasploit.…

  • Does RSA SecurID have a US gov’t-authorized back door?

    Interesting but no clear evidence for this conclusion.  Just because RSA doesn’t deny there is a backdoor doesn’t mean there is a backdoor. Does RSA SecurID have a US gov’t-authorized back door?.  

  • Microsoft warns: Fraudulent digital certificates issued for high-value websites | ZDNet

    It is interesting that Comodo would have even allowed these certificates to be generated.  In most cases there is verification of ownership of the domain before a certificate is issued.  This makes me wonder where those checks failed.  It is a best practice in corporate PKI to have human intervention for specifically high risk certificates.…

Got any book recommendations?