tag:blogger.com,1999:blog-1527379634211237227.comments2022-04-04T02:21:41.143-04:00SecureState Information Security BlogSecureStatehttp://www.blogger.com/profile/14286904623344734622noreply@blogger.comBlogger88125tag:blogger.com,1999:blog-1527379634211237227.post-25216366008854329822010-08-27T14:12:34.781-04:002010-08-27T14:12:34.781-04:00The SANS Institute just published a paper entitled...The SANS Institute just published a paper entitled "Leveraging the Load Balancer to Fight DDoS". Very interesting read.<br /><br />http://www.sans.org/reading_room/whitepapers/firewalls/leveraging-load-balancer-fight-ddos_33408Chaz Bramanhttps://www.blogger.com/profile/01521563355394899789noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-6642881575203028562010-08-27T10:49:51.855-04:002010-08-27T10:49:51.855-04:00Great blog Gary. I would definately like to see mo...Great blog Gary. I would definately like to see more of your thoughts on homograph attacks.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-85365062242400512102010-08-26T08:37:56.739-04:002010-08-26T08:37:56.739-04:00Someone also mentioned that you can fake your loca...Someone also mentioned that you can fake your location by manipulating the POST request containing location coordinates with a web proxy (like Burp or Paros).ConcernedResidenthttps://www.blogger.com/profile/06119633574762369124noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-87817745364300963412010-08-24T16:01:43.825-04:002010-08-24T16:01:43.825-04:00Thanks for the great blog Tom. One tip to keep in ...Thanks for the great blog Tom. One tip to keep in mind is that on the Droid, make sure you go to Settings->Applications->Developers and select "Allow mock locations" to make sure this works.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-31139023723283182032010-08-23T11:31:26.608-04:002010-08-23T11:31:26.608-04:00Vulnerability assessment do not help "....in ...Vulnerability assessment do not help "....in understanding a company’s threat profile.", it is a important variable in a risk equation (Risk = Threat + Vulnerability - Counter Measures). The ability to understand the threat posture is critical but as depicted a completely separate variable from a vulnerability assessment. <br /> <br />Very few companies fully understand the value aroundKen Stasiakhttps://www.blogger.com/profile/06886226685627194058noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-88401202706355132462010-08-17T11:44:43.062-04:002010-08-17T11:44:43.062-04:00Great post. Thank you for the update.Great post. Thank you for the update.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-77419425398704511472010-08-12T09:53:56.159-04:002010-08-12T09:53:56.159-04:00I absolutely agree that the team approach is an ef...I absolutely agree that the team approach is an effective means to improve security.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-26756931057559207032010-08-10T16:57:19.290-04:002010-08-10T16:57:19.290-04:00Great Post. I look forward to seeing more posts on...Great Post. I look forward to seeing more posts on SSL. Any chance you may write about SET?Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-89355430963148853632010-08-10T09:13:50.242-04:002010-08-10T09:13:50.242-04:00Thank you for this information. As a CTGA, I am ce...Thank you for this information. As a CTGA, I am certainly interested in learning more about what Barnaby discovered.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-36064208594005470492010-08-05T13:35:13.878-04:002010-08-05T13:35:13.878-04:00I enjoy all these podcasts. Especially Security Ju...I enjoy all these podcasts. Especially Security Justice.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-84691273845973238122010-08-05T13:29:20.647-04:002010-08-05T13:29:20.647-04:00Great segment. Keep up the good work.Great segment. Keep up the good work.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-8762889025631347812010-08-03T15:59:52.124-04:002010-08-03T15:59:52.124-04:00Great points throughout. It is so important that w...Great points throughout. It is so important that we keep moving towards our goals without being sidetracked by minutiae.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-39846402056452266212010-04-22T03:31:42.048-04:002010-04-22T03:31:42.048-04:00Very nicely written in a very simple language.
Ke...Very nicely written in a very simple language.<br /><br />Keep up the good work.Prashant Jainhttp://www.mysslonline.comnoreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-46260714379826925992010-04-09T16:57:29.764-04:002010-04-09T16:57:29.764-04:00Great post. I would be interested to see Pierre de...Great post. I would be interested to see Pierre de Fermat's take.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-4858195934594727532010-04-09T15:18:39.334-04:002010-04-09T15:18:39.334-04:00I agree with Alex, I could see using the iPad as a...I agree with Alex, I could see using the iPad as a reading device. I download TONS of manuals and never end up reading them because as Alex put it, "The screen (on my phone) is far too small to really be enjoyable. My laptop is too big and awkward to use to read the paper while on the couch, outside etc.". I plan on giving it about six months then I might get an iPad.RizzyRonghttps://www.blogger.com/profile/02831316367340978371noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-83705501239053151992010-04-08T11:23:11.374-04:002010-04-08T11:23:11.374-04:00I am a voracious consumer of news- I now read news...I am a voracious consumer of news- I now read newspapers and magazines on my Motorola Droid. The screen is far too small to really be enjoyable. My laptop is too big and awkward to use to read the paper while on the couch, outside etc. It seems to me the iPad will be great as a media reader and will nicely fill the space between phones and laptops.Alex Hamerstonehttps://www.blogger.com/profile/15019955335948159923noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-11885485856049016582010-04-08T10:54:10.772-04:002010-04-08T10:54:10.772-04:00It sounds like it's definitely not a replaceme...It sounds like it's definitely not a replacement for your phone and not quite a replacement for your laptop either. I wonder when the novelty wears off if there will be a place for the iPad in your arsenal.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-46737988419054707342010-03-30T09:19:48.838-04:002010-03-30T09:19:48.838-04:00Gambling here is a great analogy. Part of the p...Gambling here is a great analogy. Part of the problem is the clear lack of understanding the threats since they aren't shared. Companies do their best to sweep breaches under the rug. So take these examples and start applying ranges (e.g. 20-80 chance than 100-300 die) to the results rather than easy calculations. It tends to favor indecision. "What happens in security, stays in Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-47788292223263808132010-03-19T17:10:56.576-04:002010-03-19T17:10:56.576-04:00"The solution that I am proposing is that ins..."The solution that I am proposing is that instead of focusing so much time on the technical side of penetration testing, that the pen tester needs to also understand the business, its data, the owners, priorities, concerns, risk perception, etc."<br /><br />Agree with your general idea completely, from the perspective that the most greatest value from pentesting is in helping your Adamhttps://www.blogger.com/profile/00973885100689935280noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-25135121925321189842010-03-18T17:39:03.599-04:002010-03-18T17:39:03.599-04:00Well, in my experience hibernation has been slower...Well, in my experience hibernation has been slower than both Sleep mode or just rebooting. It has to write your entire state to the drive before going to power save mode and has to read all that back in when starting back up. Especially with SSDs, I can get my machine back up and running way faster than writing all that to disk. Not to mention, the file for hibernation takes up about 3GB on your Steve Erdmanhttps://www.blogger.com/profile/03924412422586952947noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-42587857679406616272010-03-18T09:45:14.409-04:002010-03-18T09:45:14.409-04:00CG, although I agree that a Risk Assessment should...CG, although I agree that a Risk Assessment should occur unfortunately that would be in a separate assessment. Just because a client chooses an internal penetration assessment as opposed to a risk assessment for whatever reason, doesn't then imply that the company actually performing the assessment shouldn't try to provide value. Although, you may not be able to completely understand the Andrew Weidenhamerhttps://www.blogger.com/profile/11815734166986227144noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-7318317647112878442010-03-18T09:22:05.083-04:002010-03-18T09:22:05.083-04:00First, let me stipulate that all those approaches,...First, let me stipulate that all those approaches, procedures, methodologies, etc. mentioned in the base article have a place in the security lifecycle. The statement that the ultimate goal of a PT is to improve the client's security is absolutely right on. Having said that, most of what is described is simply NOT Penetration Testing, unless you simply want to redefine the term (and Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-52606915363856797772010-03-18T09:20:13.625-04:002010-03-18T09:20:13.625-04:00perhaps it would be better to insist that a solid ...perhaps it would be better to insist that a solid risk assessment be performed long before you send in the trigger pullers (your Defcon crowd you keep mentioning).<br /><br />I agree with you that risk assessments/evaluations should occur. i disagree that you should lump them into the same 1 or 2 week period as your technical assessment. its infeasible to think you can really understand a CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-4286295816063324382010-03-18T08:50:34.939-04:002010-03-18T08:50:34.939-04:00I may have overstated how much time should be dedi...I may have overstated how much time should be dedicated to actually understanding the business, but the point is clear. In order to provide value to your client an attempt to understand the business needs to be made. This may change what skills a prototypical pen tester needs in order to perform a value added assessment.Andrew Weidenhamerhttps://www.blogger.com/profile/11815734166986227144noreply@blogger.comtag:blogger.com,1999:blog-1527379634211237227.post-80339078591065492632010-03-18T04:27:07.912-04:002010-03-18T04:27:07.912-04:00I completely agree with "the understanding th...I completely agree with "the understanding the business behind what they are testing" approach. It is very important to be able to understand the ramifications of your intrusion and explain it in business terms to those that contracted you in the first place. this can be achieved in a half day meeting. Understand the system, its usage, its users, its data, its connections.<br /><br />zqyveshttps://www.blogger.com/profile/09204408898896297291noreply@blogger.com