Google has a reputation for being open and transparent with many of its initiatives and internal workings, but one of the things that the company hasn’t talked much about publicly until recently is security. In this interview with SearchSecurity.com, the director of security for Google Apps, Eran Feigenbaum, discusses the company’s plans for security around cloud computing and how the model affects compliance efforts.
One of the more widely anticipated keynotes at the RSA Conference this week is the talk by Melissa Hathaway, who was in charge of the Obama administration’s recently completed review of the country’s information security standing. However it now looks unlikely that Hathaway will actually reveal any of the key findings or recommendations in the review during her talk on Wednesday afternoon at the conference.
From Microsoft’s SDL blog (Chris Weber)
I’m writing to tell you about our new Watcher tool for web-app security auditing and testing. Watcher is a plug-in for Eric Lawrence’s Fiddler proxy aimed at helping developers and testers find security issues in their web-apps fast and effortlessly. Because it works passively at runtime, you have to drive it by opening a browser and cruising through your web-app as an end user. For the developer, the tool can provide a quick sanity check, so you can find problems and hot-spots that warrant further attention. In the hands of a pen-tester it can assist in finding issues that lead to other attacks like XSS and CSRF. Read the full story [msdn.com]
By David Mortman
I am very excited to be guest blogging about RSA here on Threatpost. A special thank you to Dennis and Ryan for the privilege.
I am also very excited to once again be speaking at RSA this year. Last year, I was on a panel with Mike Rothman, Rich Mogull, Martin McKeay and Ron Woerner titled “Avoiding Another Security Groundhog Day”. The main theme of our panel was how could we as security practitioners move forward with protecting our customers while avoiding the sins of the past.
Psst! Psst! Ryan here. Did you notice that all the text on the cover of Verizon’s 2009 data breach report [pdf] is selectable? A little birdie tells me that’s no coincidence. Encrypted message, etc.
Even better, the report contains some obvious clues to decrypt. And something about cash prizes for those who figure it out. If you hear/know more, hit me up on Twitter. From the birdie’s beak to your ear…
As a security show, the RSA Conference leaves a lot to be desired. Its technical sessions carry an uncomfortable load of marketing baggage and don’t have either the cachet or entertaining edge of those at Black Hat or CanSecWest.
Anyone will tell you that the real business of RSA is happening off the show floor – in conference rooms and hotel suites and restaurants, where companies are doing business: technology partnerships and strategic alliances, mergers and acquisitions. Speaking personally, I’ve always found it ironic that the show, which started as a retreat for monkish cryptographers, has morphed into the back-slapping, business development Lollapalooza that it is today, but so it is.
Dennis Fisher talks with Mike Mimoso, editor of Information Security magazine, about the story lines we’re likely to see at the RSA Conference, including virtualization and cloud security, as well as the effect of the economy on security budgets.
From CNet (Jon Oltsik)
It’s nearly time for that annual spring ritual: the RSA Conference at the Moscone Center in San Francisco. ESG data tells me that, despite the recession, global organizations continue to spend on security products. So I expect another good show, though I do anticipate that the $500 kegs of Heineken at vendor booths will be omitted or replaced with Bud Light.
With the show less than a week away, here is the buzz I am anticipating. For this year, I’m including my hyperbole-to-reality ratio in my assessment. Read the full story [cnet.com]
The FBI has been using an in-house spyware program for several years to monitor the activities of suspected online criminals and hackers, according to recently released documents. The documents, obtained by Wired.com, show that the FBI was able to plant the program on target machines by encouraging their subjects to click on a link that silently installed the software.
Multiple news outlets [ZDNet, CBC, The Register and Washington Post] are reporting on what appears to be the first malicious botnet made up only of machine’s running Apple’s Mac operating system.
The botnet is directly linked to a previously known Trojan that was embedded into pirated copies of Apple’s iWorks program. It was being used in the past to launch denial-of-service attacks. The full analysis of the botnet is available at Virus Bulletin [subscription required]