Month: July 2012

English in India

Great quora post about the idiosyncrasies of English as spoken in India. When I first started working with an offshore Indian team, the phrase “please do the needful” confused the hell out of me. They also seem to use Mr. First Name a lot.

I remember looking it up at some point. There was a theory that this all stems from the time of East India Company. Apparently that’s how English was spoken at the time and after the British left, a lot of schools and textbooks remained the same. So while English evolved into the modern day version, a lot of Indians continue to learn and speak the version that was brought to them by the British a few centuries back.

Securing users

I was reading an edition of PenTest Magazine (attached here for convenience). They’ve had a few decent articles in there, but one was talking specifically about securing your users. That’s an interesting topic. An attack against your company is very likely to come through the “meatware” vector. It’s often much easier then trying to find the latest 0-day or buffer overflow. Of course you have your security policies and user training, but even the security pros fall for a well crafted phishing attack. Your expectation of the extent that you’ll be able to harden and train your userbase should be limited. You need to be prepared for a breach to come through that direction.

A lot of defenses should be focused on isolating the user population from critical systems, so that when a breach does occur, the impact is limited. Of course users do need some access in order to perform their jobs and that’s where it’s critical to focus on granular access controls, specifically RBAC. You also need to have the capacity to detect and respond to any anomalies in user behavior. That’s what ultimately will allow you to contain the threat and limit it’s impact.

 

Black Hat 2012

Unfortunately I am not attending the BlackHat this year, though I’ll try to make it to Defcon. I have been following the presentations pretty closely and so far this is pretty interesting:

WAF testing tool. ~150 ways to attack WAFs. Their product is potentially an interesting alternative in the WAF space.

Presentation on how to use Arduino to hack hotel room keys. And this is his blog.

Looks to be a very useful training tool.