From Security Weekly Wiki
Jump to navigationJump to search
10 bytes added ,  02:11, 11 October 2014
Text replacement - "PaulDotCOm" to "Paul Asadoorian"
# '''** WARNING: I was angry when I wrote this **'''
# [ Why Microsoft Patch Tuesday Is Bullshit] - [Paul] - Its an article I wrote about, well, the title gives it away. Basically, we got a regular patch schedule because sysadmins bitched and it cost large organizations too much money to apply patches as they came out. Why Microsoft felt they needed to solve this problem is the bullshit part. Basically, take matters into your own hands when it comes to risk management in your organization, for more check out the article. Feel free to send me flame mail, just no bitching.
# [ Don't Leave Your Backdoor Open - Someone will find it on Twitter] - [PaulDotCOmPaul Asadoorian] - So here's the deal, if you let a 3rd party app access your Twitter account, then change your password, the 3rd party app can still access your Twitter account. The OAuth protocol apparently allows it to do this, and the only thing you can do is not allow apps, at all, to access you Twitter account. Kinda like federal prison, watch your backdoor someone could exploit it at any moment.#[ More SSL Holes - MITM attack] - [PaulDotCOmPaul Asadoorian] - This was the big news, and many of us have heard by now. One thing though that I wanted to point out: "the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS". This means you Mr. "We use SSL VPNs because they are faster and easier to deploy". You pushed the easy button, and the security devil is coming back to collect its debt, guess what? Its not a huge gaping security hole in your organization that could compromised the security of your network, because you compromised and used SSL. You should have known better Mr. "Easy Button", SSL only starts implementing security at Layer 4, way too late. Not to say that anything is perfect or doesn't have vulnerabilities, but you have to be able to see the larger picture and understand what types of things typically lead to bad things, SSL has proven to be one of those things...
#[ The Tale of an Unsatisfied Security Professional] - [Paul] - My fear is that there are many of us in this situation. You are the security "rock star" in your organization, jamming and rocking the crowd every week. However, there atop your organization sits big bad management, right next to the big bad auditors. Management only listens to the auditors, and looks at everything that you do as a "check box". Step outsie anything that smells like a "check box" and its instantly shot down. Let me ask you this, why don't security people weild the same power as the auditors? In fact, why don't the auditors report to us? That way we can keep them in line and make sure we're not just checking fucking boxes.
#[ Fear and Overreaction] - [Paul] - I think Bruce makes some good points, but on the whole I think people need to be more afaid AND act rationaly about it (which is sorta where he is going). People tend to not even let the threats sink in, don't understand the consequences, and therefore don't even react and end up trapped in a burning building. I think that books like Daemon and "Forb1dd3n" are important to people to read and help understand how security threats effect them, and cause them to think about the appropriate action, not over or under reaction.

Navigation menu