Critical Security Controls

I am not a security expert, and by this reason to read about security aspects is something complex, specially when you want to gain perspective of the area of security it’s being talked.

The SANS Institute is a cooperative research and education organization which contains programs for security professionals around the world. They have the Critical Security Controls which focuses on prioritizing security functions that are effective against the latest Advanced Targeted Threats: security controls, processes, architectures and services.

Each item of the list below (version 5) contains a detailed checklist of activities to be covered:

 

 

Whiteout mail

Awareness about security is always something challenging, and have good habits in this Whiteout.ioarea is important. Mail encryption was always a technical complex issue, but now it seems to be easy for users. The answer is this German company Whiteout.io

Installation

Once you install it, you enter your user and generate a PGP key, the first hurdle you find is the way to differentiate between “0” and “O”.

After the installation some useful e-mails are sent to explain you how the public key and the private key use.

Use

Decrypting is slow for the modern life, to open an light e-mail it takes around 1 or 2 seconds, not bad to me.

You will see a “” when the message is encrypted.

The organization of same e-mails in a same line (created by gmail) is not available in Whiteout, so you will see all e-mails from the past ordered in a way that does not make sense to you. This should be improved.

Contacts: if you want to have the contact keys of other users in Whiteout.io you have to import their keys. This will enable encrypted e-mails.

Things that works in a similar way to gmail: Folders,

 

 

HeartBleed vulnerability

Some basis I’ve learned about this issue.

OpenSSL is an open-source implementation of SSL.  It is not the only implementation of SSL, and is not even the primary implementation of SSL.  Most vendors have their own implementation of SSL and TLS, which is directly related.

OpenSSL is available as an installed package, or as a utility “toolkit”.

The heart-bleed vulnerability is due to a programming error introduced in December 2011 and has been present in production releases since February 2012.

Primary places where the full package is used:  web servers such as Apache and nginx.
Common uses for toolkit use: custom – written applications that use SSL to protect their data such as VPN clients and SSL VPNs.

The estimated number of commercial web sites subject to this vulnerability is huge:  500,000 worldwide.

is Windows or Mac affected by this issue?  Not inherently – neither use an open source implementation of SSL or TLS.  However the likelihood of any of the sites you use on a regular basis being vulnerable is very high as Apache is very commonly used for commercial web sites.  Your best bet is to contact product vendors and watch the security media to understand exactly which of your products are vulnerable.

is my Linux/Unix vulnerable?  Very possibly.  OpenSSL is much more common on these systems.

can I know if I’ve been compromised?   In short, no.  The vulnerability leaves sensitive data such as private keys, usernames, passwords, and more in memory on the system in a decrypted form where it can be directly read by any program.  Testing of the currently published exploits show that they are virtually undetectable.  This is a particularly difficult vulnerability as it is difficult to impossible to tell whether a program reading this area in memory is doing it as part of normal operation or as part of the exploit.  So typical log monitoring will not identify a compromise in this instance.

Is a fix available?  are all version affected?  The vulnerability has been re-mediated in the current version.  See the link below for a list of secure versions and a list of safe and unsafe operating systems.

A good source of additional info:  http://heartbleed.com/

Confide

The security on mobile applications continues being a big question for me, mainly due to the lack of security.

I found Confide, which lemma is:

Spoken words disappear after they’re heard. But what you say online remains forever.
With confidential messages that self-destruct, Confide takes you off the record.

 

More market for security business

The industry of security on IT continues evolving and increasing the amount of activities. More new created needs due to a continuous growth of the security issues and the need to protect intellectual property.

So many markets are created through legislation that turn into more and more complex compliance activities.

OMB: Agencies must implement continuous monitoring by 2017