I’m going on a date to the Chelsea Art Museum’s Young Associates Party. 
Archive for the 'Uncategorized' Category
A few days ago, Adam Shostack over at the Emergent Chaos blog invited some comments about using prediction markets for security-related events/decisions. This is a topic I’ve discussed quite a few times with a friend of mine and I have some fairly strong opinions about it (it’s a dead end), so I made a few quick statements pointing out its shortcomings. In a follow-up article, Adam quoted one of my responses in the article itself! I thought his comments and my response were relevant enough to repost here, but if this is a topic that interests you I encourage you to read both of the original articles and leave a comment there.
Quoted from Adam’s follow-up post:
Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”
I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?
BackTrack 3 (2007-12-14) is a penetration testing live Linux distribution. It is packed with plethora of tools organized by categories.
With this large amount of utilities, it is sometimes hard to pick the correct one for the job. At Shmoocon 2008, a BackTrack representative gave a talk which was good, but focused on exploiting a Windows binary using Olly, not on showing off the features of the distribution. So I took it upon myself to click on every single link and find the awesome and the less awesome tools among the bunch. Note that the work that I did was for a presentation. There are videos which are self-explanatory but at times need commentary. I will provide some explanation in writing.
Information security is about reducing risk. Therefore, risk management activities must be conducted to identify potential problems and prepare for them. Different security management tools exist to help us determine the risk of these systems. These tools can take data from various security tools such as Nessus and Snort, perform some form of analysis (trend analysis, risk calculations, etc) and generate reports. However, to full take advantage of these systems, they must be configured with the criticality values of the various systems.
Unfortunately, there does not seem to be any foolproof methods for calculating asset values.
My presentation provides a possible guideline to measure relative asset values. This will aid in prioritizing remediation.
Upon finding out that I study information security, a question people often ask me is:
“Alright dude, so like, if all these terrorists go around posting stuff on the Internet, why can’t we just use their Internet posts to track them down?”
What annoys me is that I can think of several answers to this question but I do not know which one is in actuality most of the times true.
Given that we are a group of students that want to be actively engaged in “security research”, I often ponder: What does the term “security research” mean to you? Some of us are into reverse engineering, some of us are into language-level security, some of us are into network-level detection and prevention. When I speak to anyone working in any of these fields, they will usually light up and go off on how the problem they are working on is a major component in solving problem X and problem X is one of the top reasons why the state of security is as poor as it is. Success is no longer protecting C, I, and A, but making executables with randomized address spaces, but creating IPS that block anything suspicious, or virtual machines that sandbox as much as possible.
I guess what I am trying to say is people sometimes lose track of the larger picture while working on specific problems. While specifics are arguably most important in correcting problems, people should not loose track of the larger picture.
Comments?
Recent Comments