http://isisblogs.poly.edu Information Systems and Internet Security Tue, 29 Apr 2008 04:10:59 +0000 http://backend.userland.com/rss092 en I spent a lot more time thinking about SSBs over the last week or so and I'd like to use this blog to do a bit of a brain dump. A few days ago, Andrew Jaquith publicly posted the presentation that was sent me to privately. Here are links to ... http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/ This morning I summed up everything that happened with Synology and everything I have continued working on since my previous article was written in a deck of slides at the weekly SFS meeting. Here is an overview of the items not covered in the previous article: The director of software development at ... http://isisblogs.poly.edu/2008/04/16/sfs-presentation-about-synology/ I'm sure most of you have read the article in BusinessWeek that turned up on Slashdot regarding the hacker attacks the US government has to deal with. If you haven't, you really should read it because despite its obvious inaccuracies (journalists always get something horribly wrong) it's got a ton ... http://isisblogs.poly.edu/2008/04/10/just-wanted-to-get-this-out-there/ BackTrack 3 (2007-12-14) is a penetration testing live Linux distribution. It is packed with plethora of tools organized by categories. With this large amount of utilities, it is sometimes hard to pick the correct one for the job. At Shmoocon 2008, a BackTrack representative gave a talk which was good, but ... http://isisblogs.poly.edu/2008/04/08/backtrack-3-demos-of-selected-tools/ Started because of the following twitter from tqbf STRIDE is the dumbest acronym in security. There are two kinds of dumb: dumb == harmful dumb == pathetic STRIDE has a little bit of both in it, it's pretty high on the dumb scale. I'm taking votes for either. What's the overall dumbest term in security (acronym ... http://isisblogs.poly.edu/2008/04/07/the-dumbest-thing-i-had-to-learn-for-the-cissp/ In an earlier post to my personal blog as well as to this blog, I enthusiastically recommended the Synology CS407 NAS as a data storage/backup platform. I am now taking that recommendation back. Let me just say this: it seemed like a good choice at the time, and, if I could ... http://isisblogs.poly.edu/2008/04/04/multiple-vulnerabilities-in-all-synology-products/ ISIS lab alumni, Mike Aiello, will be on CBS National News @ 6pm on Sunday, April 6th talking about RFID security. Mike runs DIFRWear, a company that makes RFID-blocking apparel. http://isisblogs.poly.edu/2008/04/03/rfid-security-mark-your-calendars/ This is a short rant prompted by another student's observation that Yelp actually asks for your Gmail password as part of their signup process... Have you encountered a website that asks for the username and password to your e-mail provider? I'm talking about this: LinkedIn asking for my Gmail password Yelp asking for ... http://isisblogs.poly.edu/2008/03/30/we-promise-we-wont-store-your-password/ Short Summary of the paper: Draw a Secret- DAS is a graphical password scheme where users are suppose to draw a secret on a grid. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret. Each time a user ... http://isisblogs.poly.edu/2008/03/29/paper-discussion-do-background-images-improve-%e2%80%9cdraw-a-secret%e2%80%9d-graphical-passwords/ Single Site Browsers [to be uploaded later] It's an interesting idea and I can't disagree with the concept (<3 <3 separation of privilege) but I think it's missing a few things. Here are some observations I made about it. They acknowledge that SSB's do nothing against malware. It solves the problem of webpages ... http://isisblogs.poly.edu/2008/03/13/single-site-browsers/