Here are today's Interesting Information Security Bits from around the web.

1. In their continuing series that documents the infosec community in various cities, InfosecEvents looks at Las Vegas this week.
   Las Vegas Security Community | Infosec Events
   Tags: ( community )
2. Looks like the folks on the Vulnerability Research Team at Sourcefire have come up with a new tool for us to play with, Razorback. From the post "Razorback is an Open-Source Framework for an intelligence driven security solution." Looks like fun.
   Project Razorback has been unleashed on the World | Joel Esler
   Tags: ( sourcefire tools razorback )
3. A new certificate is coming that hope to raise the knowledge level of IT professionals on the topic of security and cloud computing. The reference material is very good material from ENISA and the Cloud Security Alliance.
   Certificate of Cloud Security Knowledge | Cloud Security Alliance
   Tags: ( cloud certification )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Barracuda Networks issued a press release this morning discussing two presentations that will occur in Las Vegas this week and the release of their 2010 Mid-year Security Report.

The first presentation, titled "The Dark Side of Twitter", will be given at Security BSides Las Vegas this afternoon at 3:00 PST. This presentation will explore the data that Barracuda has collected that shows that Twitter use continues to rise. Along with that rise is an increase in the amount of malware that advertises itself via Twitter.

The second presentation, titled "Searching for Malware", will be given at Defcon 18 at 11:00 a.m. PST, Saturday, July 31st. It explores two months worth of search data collected by Barracuda Networks looking for trends in malware distribution and the search engines that return the most results which point to malware distribution sites.

Finally, the Barracuda Labs 2010 Mid-year Security report will be available soon. You will be able to find it here

More information can be found on the Barracuda Labs website and on the Barracuda Blog.

Full Press Release:

Google Crowned “King of Malware” – Has Two Times More Malware than Bing, Yahoo! and Twitter Combined

Barracuda Labs Issues 2010 Midyear Security Report, Presents Findings at DefCON 18 and Security BSides Las Vegas
Campbell, Calif. (July 28, 2010) –– Barracuda Networks Inc., a leading provider of content security, data protection and application delivery solutions, today released its Barracuda Labs 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate. The company is presenting this data at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. The full report is available at the company’s security research portal at http://barracudalabs.com.

Searching for Malware
Barracuda Labs conducted a study across Bing, Google, Twitter and Yahoo!, over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors. The results will be presented at DefCON 18 on Saturday, July 31, at 11:00 a.m. PT, at the Riviera Hotel & Casino.

Key highlights from the search engine study include:

• Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
• The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
• Over half of the malware found was between the hours of 4:00 a.m. and 10:00 a.m. GMT.
• The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Darkside of Twitter
Barracuda Labs analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3. The results will be presented at Security Bsides Las Vegas on Wednesday, July 28, at 3:00 p.m. PT, at the 2810 Resort.

Key highlights from the Twitter research include:

• In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
• Only 28.87 percent of Twitter users are actual True Twitter Users.
• Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
• One in every eight Twitter users has at least 10 times more followers than they are following.
• Only one in 10 users is following more than 100 users, and almost half are following less than five.
• The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

To review the complete Barracuda Labs 2010 Midyear Security Report and the company’s security portal, please visit http://barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions.  The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L'Oreal, and Europcar are among the more than 100,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions.  Barracuda Networks is privately held with its International headquarters in Campbell, Calif.  For more information, please visit www.barracudanetworks.com.

#  #  #
Resources:
Download the Barracuda Labs 2010 Midyear Security Report at http://www.barracudalabs.com/research_resources.html.
View the Barracuda Labs security research portal at http://BarracudaLabs.com.
Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:
1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.
2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.
3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.
#  #  #

Here are today's Interesting Information Security Bits from around the web.

1. There is a data dump of all publicly searchable Facebook users out there right now. The Harmony Guy has an interesting post talking about the situation.
   Security Through Obscurity and Privacy in Practice | Social Hacking
   Tags: ( facebook privacy )
2. Check out this post for some information about two privacy bills currently working their way through the US Congress.
   Sunbelt Blog: Privacy bills in U.S. Congress in brief
   Tags: ( privacy laws )
3. Here a reasoned post on the susceptibility of Apple products to the same threats that exist for Windows products.
   Yes Virginia, Mac's Can Get Viruses | Optimal Security: The Lumension Blog
   Tags: ( apple malware )
4. Here is a machine readable Defcon 18 schedule. Very nice. It is available in XML, iCal and HTML formats.
   DefCon 18 Schedule | Perimeter Grid
   Tags: ( )
5. The 2010 Verizon Data Breach report has been released. This year it includes data from the U.S. Secret Service. I am looking forward to reading it. You should too.
   Verizon Business Security Blog >> Blog Archive >> 2010 Data Breach Investigations Report Released
   Tags: ( data-breach dbir )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Here are today's Interesting Information Security Bits from around the web.

1. In the continuing series on the infosec community in various cities, Washington D.C. gets some attention. If you are in the DC area, you should check out these opportunities.
   Washington, DC Security Community | Infosec Events
   Tags: ( community )
2. Mike and Lee's 2010 Compensation Survey results are now available. Some interesting stuff in there.
   2010 Compensation Survey : Information Security Leaders
   Tags: ( career compensation )
3. Anton has penned another career focused post. Very good advice in here. You should read it.
   Anton Chuvakin Blog - "Security Warrior": Skills for Work vs Skills for Getting Hired
   Tags: ( career )
4. Hmm. Interesting thoughts on DMCA and reverse engineering software.
   HP Blogs - The DMCA vs "Reverse Engineering" Software - HP Blogs
   Tags: ( general )
5. If you like podcasts, check out Wim's list.
   The Security Kitchen >> Blog Archive >> list of podcasts
   Tags: ( podcasts )
6. Andrew offers up a few basic things you can do to make your SSH service a bit more secure.
   Basic SSH server hardening << Infosanity's Blog
   Tags: ( ssh tips )
7. Alex points out that Cisco's security report is available.
   Cisco's Artichoke of Attack << The New School of Information Security
   Tags: ( report cisco )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Here are today's Interesting Information Security Bits from around the web.

1. Alchemist has offered up some dos and don'ts for when you are evaluating products/solutions. Some good tips and things to think about.
   Technology Evaluation Do's and Don'ts << An alchemists view from the bar
   Tags: ( infoec evaluation )
2. Just read it. It kind of defies description.
   Last In - First Out: Just another day in Internet-land
   Tags: ( general )
3. This looks like a nifty post installation script. It installs some stuff and tweaks some stuff. I have taken a cursory look at what it does and it appears good. Please double check everything yourself though.
   infond: infondlinux - a post installation script for Ubuntu
   Tags: ( linux )
4. Looks like Adobe is taking a very good step forward in security Reader.
   Adobe: 'Sandbox' Will Stave Off Reader Attacks -- Krebs on Security
   Tags: ( adobe reader )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Here are today's Interesting Information Security Bits from around the web.

1. Ukraine now has a data protection law.
   Ukraine Adopts a New Data Protection Law : Privacy & Information Security Law Blog
   Tags: ( privacy law ukraine )
2. Wow. This is both very very cool and very very scary. That means it is useful for showing the dangers of XSS. Check it out.
   Attack and Defense Labs: Shell of the Future - Reverse Web Shell Handler for XSS Exploitation
   Tags: ( pentesting xss shell )
3. As I clicked publish on the last IISB, which mentioned this challenge, I saw tweet with the answer. Sorry about that folks.
   Solution and Winner of the 1st Panda Challenge 2010 | PandaLabs Blog
   Tags: ( challenge panda )
4. Just go read this. It's important.
   What's "a risk" anyway? | RiskAnalys.is
   Tags: ( risk )
5. Here is nifty plugin from Qualys. It checks for security updates for a number of browser support apps like Reader, Java, etc.
   Qualys BrowserCheck
   Tags: ( browser tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

RSA Europe 2010 has opened press registration. The registration page can be reached here.

-Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. The 1st 2010 challenge from Panda is up.
   Panda Challenge 2010 Edition: 1st challenge up! | PandaLabs Blog
   Tags: ( challenge panda )
2. Malware is very tricky in how it makes itself available across reboots. This post points out yet another way it does so.
   M-unition >> Blog Archive >> Malware Persistence without the Windows Registry
   Tags: ( malware auto-start )
3. What do Shakespeare and botnets have in common? Lori knows something about both. Take a peek. Good suggestions in here.
   Out, Damn'd Bot! Out, I Say!
   Tags: ( botnets )
4. Ghostnomad uses the cleaning of his kitchen floor tile grout as an analogy for dealing with infosec risk. I like it.
   GhostNomad.com >> Tale of Grout
   Tags: ( risk-management )
5. Mark has a list of 10 crazy ideas that he thinks might just change the state of the information security industry. Check it out.
   Curphey 2.0 >> 10 Crazy Ideas That Might Just Change the State of the Security Industry
   Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post in this series, a very very long time ago, we took a look at Threat Event Frequency (TEF). In its most simple form TEF means how often does a threat event happen.

We are now going to take a look at the other component of Loss Frequency (LF), Vulnerability. However, this is not how we normally think of vulnerability.

From the  Introduction, Vulnerability is:

The probability that an asset will be unable to resist the actions of a threat agent.

This is quite different than how we normally define vulnerability as information security professionals. We usually view vulnerability as a specific weakness in a system or application. In FAIR, vulnerability is an inverse measure of the ability of an asset to protect itself against the efforts of a threat agent.

A high probability means that the asset will likely be compromised and a low probability means that the asset will be able to effectively resist. You have to let that one percolate for a bit.

Vulnerability is made up of two factors and here we diverge a bit from the Introduction. Both the introduction and the Open Group Risk Taxonomy use Control Strength and Threat Capability as factors of Vulnerability. Jack has since modified this slightly. Threat Capability (TCap) is still used, but Control Strength has been changed to Resistance Strength (RS.) Let's talk about both of these for a second.

Resistance Strength is the probability that an asset can resist a baseline measure of force . Let's say I have a gate that keeps people from coming into my property. Someone on a bicycle would be kept out, but someone in a Mini Cooper wouldn't. We would probably say that the Resistance Strength at that point is pretty low. Replace that flimsy gate with a door to rival those protecting the installation in Cheyenne Mountain and our Resistance Strength goes through the roof.

Threat Capability is just what it sounds like. How capable are the evil doers that are attempting to compromise my asset. Are they riding bicycles or driving Abrams tanks.

Putting the two together, Resistance Strength and Threat Capability, gives us Vulnerability. For instance,  we have that super strong door we were talking about. There is a very high probability that the door will be able to resist a baseline or average level of force.  How about the evil dude on the bicycle? His Threat Capability is very low. Combining the two gives us a very low probability that the asset will be unable to resist the threat agent, i.e. we're going to be just fine.

Next time we are going to take a quick look at how Threat Event Frequency and Vulnerability define Loss Frequency and then we will start of the Probably Loss side of the Risk equation.

As always, please leave a comment or send me a note at kriggins@infosecramblings.com with your thoughts.

-Kevin

Here are today's Interesting Information Security Bits from around the web.

1. Anton is looking for some feedback from you for the 2010 version of the SANS Top 5 Essential Log Reports. Go help him out.
   Anton Chuvakin Blog - "Security Warrior": SANS Top 5 Essential Log Reports Update!
   Tags: ( logging )
2. Another great response to a good question from Mike and Lee. It covers compensation negotiation for a new gig.
   Career Advice Tuesday - "Advice on Negotiating Compensation" | Information Security Leaders
   Tags: ( career negotiation )
3. Looks like AppSec USA 2010 has been announced.
   The Ashimmy Blog: AppSec USA 2010, September 7 to 10 at the University of California at Irvine
   Tags: ( owasp conferences appsec )
4. Rich has posted a sneak peek at some of the data from the Data Security Survey that Securosis has been running. Interesting stuff. There is still time to contribute if you haven't yet.
   Securosis Blog | Preliminary Results from the Data Security Survey
   Tags: ( data )
5. HTML 5 is cool and has nifty things like local storage, but beware, there are some things to think about from an information security perspective. Check out Michael's post for a few items.
   ...Application Security...: HTML5, Local Storage, and XSS
   Tags: ( html5 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin