Thursday, August 16, 2007

Covert Crawling Web 2.0

Back in 2006 I saw Billy Hoffman give a talk on an app he did up to emulate user/browser experience to covertly allow crawling a website. (wired article or mp4 of the talk)

This was neat and I had a few tangent thoughts on the way into work. If this sort of technology was extended to be aware of specific website interfaces we could do some neat things.

Social networking sites for instance. We could create a mapping of trust relationships based on crawling through the site. Myspace would be pretty easy. You could also find users over a certain age that have an excessive amounts of other aged friends. hello dateline.

Even neater still would be to extend it to What a pile of recon information that is! Not only creating groups of individuals (potentially even a pseudo org chart) who work at a target company, but you can create counts of other organizations linked to that group creating thresholds that can define specific partners to that target. Lots of Oracle sales reps linked in with the target companies IT department teams? Hrm, must be an Oracle shop.

If you're patient you can do this over time too. Sudden influx of a security vendor being linked in through IT? Maybe they had an incident? Or maybe they just bought a new wizbang product and are currently deploying it. Wonder what that Sales Engineer specializes in that just linked up with half their IT? Oh, it says it in his Bio.

Just food for thought.

Wednesday, August 1, 2007

Book: Inside the Security Mind

In a very taosecurity moment I'm going to quickly review a book. All the way back in January of 2005 Dana Epp had an insightful post giving props to the book. It's been on my amazon wishlist for these last two years and I finally picked up and read it while going to/from Punta Cana. The Table of Contents itself shows the books objectives:

1 Introduction
2 A New Look At Information Security
3 The Four Virtues of Security
4 The Eight Rules of Security
5 Developing a Higher Security Mind
6 Making Security Decisions
7 Know Thyself & Know Thy Enemy
8 Practical Security Assessments
9 The Security Staff
10 Modern Considerations
11 The Rules in Practice
12 Going Forward
A Tips on Keeping Up-to-date
B Ideas for Training
C Additional Recommended Audit Processes

The book itself is a bit dated (2003) and various parts show that (Modern Considerations, Going Forward chapters) but the majority of the book narrows down to ideas and concepts that are done on a daily basis. The book should be read for chapters 3 and 4 alone. The four virtues and eight rules should resonate loud and clear- for any practitioner these are not new ideas but there's a lot to be said on clarifying, simplying, and breaking apart concepts used daily. For the newcomer, these virtues and rules truely dictate what should be internalized.
While a bit of Practical Security Assessments are a blatant selling of his companies software it still is refreshing to see down and dirty in-the-trenches suggestions on a potentially intimidating subject. The templates and suggestions put forth are truly a huge win for this book, are actionable and can be shimmed between existing processes allowing for a very good insight into technology deployment.
I don't have a star scale to go by because I'm not a book reviewer but I do recommend plowing through this in an evening or two. If anything the refreshing content will give you a new perspective of how mature your organization is (or isn't).