Auditing Unix Systems - PCI DSS, SOX, HIPAA

Tuesday, March 31, 2009

Lynis is an auditing tool for Unix system. It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run even from a USB / CDROM and does not require write access to the system.

Compliance Audits: -

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

Lynis has more than 200 security checks and is available via RPM, DEB and Source.

Lynis can be found at rootkit.nl with documentation.

Read more...
Posted by A at 4:39 PM , 0 comments
Labels: , , , ,

!exploitable by Microsoft - Debugging Extension

!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) by Microsoft that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown.

As its name suggests, !exploitable Crash Analyzer (pronounced “bang exploitable crash analyzer”) combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. This tool provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.

The tool creates hashes to ensure each crash is unique then rates them according to how exploitable it is - Exploitable, Probably Exploitable, Probably Not Exploitable or Unknown.

The Project can be found at CodePlex and to know more you can read this accompanying ppt.

Anish

Read more...
Posted by A at 4:29 PM , 0 comments
Labels: , , ,

Security concerns with the cloud

Thursday, March 26, 2009

Cloud computing has got a lot of media hype and everybody who can cater Cloud Computing are creating an infrastructure for it like Google, Microsoft, SUN. The bigger problem is the why should companies store official data on somebody Else's machines, I know all your emails, etc has been online since ages now but corporate business data is something entirely different.

There are many regulatory and legal concerns in putting your data into somebody else's basket. Infact in any given company, employees who are not concerned about some project/data are kept away from that particular data and only the person who is supposed to work with the data has access to it. So when a employee of the same company / department does not have access to the particular data how can companies think about putting their data with a completely different company like Google or MSFT.

These cloud companies never share how they store the data, who all in there company can access the clients data and even if they have security controls we all know controls can be bypassed.

Why should these cloud companies be a single point of failure for a business's data. You can see Live Mail suffered a long outage 2 weeks back and every month Google has been giving shocks to companies using Google Apps for Business, Google Gmail being down for hours then Security glitch at Google Docs.

There are many concerns regarding safe guarding of data with these cloud computing companies.

1) Ofcourse Google being down for hours with multiple services the overall reputation of cloud computing companies have gone down.
2) How can the cloud computing companies applications be trusted, its written by humans. Bugs are bound to be discovered, data leaks very much possible.
3) What if critical data is not available when it is needed, who is responsible for the loss of opportunity.
4) What about compliance and legal issues, Who will take care of them.
5) Who can guarantee that these cloud companies wont index your data to create targetted ads or study trends.
6) If a company wants to run data mining on who is accessing their data, can the cloud providers provide the logs, how will the logs be provided. How easy it should be to get the logs.
7) Can cloud companies confirm on how many servers their data will be traveling.

There are many questions and concerns regarding cloud computing that needs to be answered but the Cloud strategy is here to stay because the investments which are done by the biggies, I wonder they will let it become yet another failure.

Read more...
Posted by A at 7:26 PM , 0 comments
Labels: , , , , ,

Piracy ThePirateWay Oops ThePirateBay

ThePirateBay.Org went through some troubled time with a lawsuit regarding their hosting of torrents. They have now come up with a VPN service that stores no logs, so now no one can know who is downloading what and from where. Now this is a real shocker for the copyright and legal folks bothering TPB guys and the users of TPB.

The VPN service they are offerring will be secure and provide point to point encryption which is even ISP's should now be scared of, only thing the ISP's and watchers can know is that their customers are connecting to TPB VPN service Servers but they wont be able to get the actual details of who is downloading, what is being downloaded and from where. The VPN service is called 'IPREDator'.

ThePirateBay VPN service is currently in beta for testing and should be soon available for anyone who wants to use it for small fee of 5 Euro/month.

I have personally met the founders of ThePirateBay and the best thing about them is that these guys have the balls to say Fuck You in the face of copyright activists.

Cheers.

Read more...
Posted by A at 6:25 PM , 0 comments
Labels: ,
Subscribe to: Posts (Atom)

  © Blogger templates Newspaper by Ourblogtemplates.com 2008

Back to TOP