Archives

A security checklist for a developer might make it look like writing secure code is kids stuff, but even kids think like attackers sometimes. Microsoft are doing some interesting work on SDL – Secure Development Lifecycle. I’m just not sure I agree with dumbing it all down to a checklist and letting developers work without …

This political cartoon was posted exactly 2 years ago in the Jerusalem Post. The world financial markets are on fire and Zipi Livni  is busy logrolling and playing spin the bottle with Shas and the Labor Party (who are trying to disguise their own version of corruption as a social conscience). Omer Zak has written …

A while back, a colleague asked me what is the best way to encrypt internal email. My first question to him was – what is the threat,  who is  the attacker and what is the asset you are protecting? Are you trying to encrypt business communications between employees and vendors/customers to protect from eavesdroppers or …

Thursday this week, is the  7′th anniversary of the Al Queda attack on the US in New York on 9/11/2001. The world today is more connected, more always-on, more accessible…and more hostile. There are threats from Islamic terror, identity theft, hacking for pay, custom spyware, mobile malware, money laundering and corporate espionage. For those of …

I was looking at the CSI 2008 security survey recently and noticed that the top three loss categories are fraud (number 1), viruses (number 2) and data loss (number 3). I’m a little dubious about viruses landing up in the number 2 slot.  We haven’t even installed anti-virus software on our office workstations in the …

There is an automated self-service fingerprint id system for passport control at Ben Gurion Airport. I was one of the early adopters and stopped after a year of frustrating attempts to get it to recognize my fingers. They were charging 50 sheqels/year for the service – the last thing an Israeli wants is to be …

just saw a post  from a month ago by Jeremiah Grossman from White Hat Security on his blog PCI-DSS references the outdated OWASP Top Ten There are actually a number of more serious technical issues with PCI DSS 1.1 than using the OWASP Top 10 from 4 years ago. Note the definition of vulnerability management …

I was working on an article on a holistic approach to data leakage, fraud and revenue leakage today.   Spend most of my Sunday, reading and trying to summarize some of the work we’ve done with our telecom service provider customers in Israel and Poland. I came across a thread entitled What is the acceptable percentage …

I took a couple hours out from work today to pop over to Infosec 2008 in Airport CIty. I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues. Whenever I go somewhere – I’m always looking …