Tuesday, April 30, 2013

always be changing

the most basic and fundamental thing to remember in the context of defending yourself is:


by which i mean you have to keep learning, adapting, growing, improving, etc. no simple list of tasks to complete or security measures to put in place will ever really be enough to keep you or your stuff safe. you have to keep making intelligent changes to what you do and how you protect yourself. those lists of practices people generally advise are stagnant - they stand still but the bad guys never do.

(one part catch phrase and homage to the movie glengarry glen ross, and one part honest advice since it is essentially what i do)

stranger danger laid bear

found on i can has cheezburger

i'm sure as kids we were all told not to take candy from strangers, but it seems like many of us were never able to apply the same principle to things other than strangers or other than candy, and in fact as adults some of us will actually not only take candy from strangers, we'll even fork over our passwords in order to get the candy.

Monday, April 29, 2013

AuthN vs AuthZ

from here (source article)

there's kind of a big difference between proving who you are and establishing what you can do, and if people can't tell the difference it goes a long way to explaining why security is in such a sad state.

airport security stand-up



oh, my kingdom for a pair of tweezers.

Friday, April 26, 2013

if you abduct a child...

if you abduct a child in order to protect the child from abduction then you might be a security idiot
(inspiration - somehow that just doesn't seem like the right word)

you won't like polly when he's angry

found on memebase

some things really, really need intelligent operators. not bird brains.

Thursday, April 25, 2013

complaints


weeeeeee... i didn't have any ideas for making an existing picture funny so i just drew a comic instead. i think some people do that the other way around.

this isn't the deterrent you're looking for

found on the art of trolling

some people might be even more deterred by this, but others... i'm not so sure.

Wednesday, April 24, 2013

how about a silver bullet in the head?

from here

maybe i've been listening to too much rage against the machine lately, but i think silver bullet proponents need a bullet in the head.

laziest gun in the world

found on memebase

tools can be used for good or bad, but rarely do they ever do anything worth mentioning when left all on their own.

Tuesday, April 23, 2013

not soon enough

from here (source image)

thanks to @SecurityHumor for tweeting this. of course, i doubt people have all that much of a choice about using this thing in it's insecure state, and i'll just bet "soon" still means many months from now.

Keep your passwords safe



submitted by Arik (@arikb)

as soon as we find some place to stick this in

found on memebase

yeah, you just keep telling yourself that kim jong-un. i don't understand why people make such a big deal out of the cyber threat posed by a country that can barely keep the lights on (literally, north korea is a dark patch when viewed from space at night).

Monday, April 22, 2013

cracker pwn thyself

from here (source image)

(inspiration)

i think it's time for a silly cyber crook "advice animal" meme. i think i'll use this because, well, just look at this guy in a balaclava hiding behind his keyboard.

i don't always choose a boat for my escape route...


that's a rather nice 'most interesting man in the world' joke by the jester at the boston bombing suspect's expense.

Friday, April 19, 2013

striking fear into the hearts of worms and grubs

from here (source image)

i think the plan here was to make the bad guys give themselves away by laughing too hard. i'm not sure what else you can expect from patrol hens.

threat landscape t-shirt



there's some nice symbolism here (although it's hard to see at this scale), and you can find the symbols individually on other shirts and mugs and stuff. i'm kinda jealous i didn't come up with these myself, but what matters is that someone did.

Thursday, April 18, 2013

everyone's a thought leader

from here

y'know, there are so many thought leaders i sometimes wonder if there's anybody left to follow them.

lions and tigers and canadian geese, oh my!



i guess we shouldn't feel so bad about our own inability to accurately gauge risk.

Wednesday, April 17, 2013

brute force? you keep using that term...

from here

it's difficult to take reports of the wordpress "brute force" attack seriously when it's using a password list. brute force attacks don't use lists, dictionary attacks do.

Tuesday, April 16, 2013

two ideas are too much for some people

from here

don't get me wrong - out of band authentication is a cool idea, and it has some nice properties, but receiving a phone call is not the same as verifying a token.

don't trust the internet

found on failblog

this guy may not be saying don't trust the internet, but i certainly am. don't trust the internet.

Monday, April 15, 2013

do as they say, not as they do

from here (source tweet and webpage)

thanks to rob for showing us that even OWASP can't do OWASP properly.

this just in...



this just in... be on the lookout for the crime clown. he is considered fat and extremely stupid. at least part of him may already have made it to another jurisdiction (assuming he's managed to stay mostly upright).

Friday, April 12, 2013

in soviet russia, honeypot pwns you

from here (source paper)

thanks to the folks at liquidmatrix security digest podcast (what a mouthful) for not only pointing this out but suggesting the type of meme to use (you'll have to actually listen to the show to find it).

i think we need a "none of your business" bill

as tweeted by fight for the future

the caption on the site includes

The Fish & Wildlife Service is one of them ... and you REALLY don't want them in your bedroom.


y'know, when the government does things contrary to it's citizens' interests like this it convinces me that the government is an adversary.

Thursday, April 11, 2013

let's play APT

from here (source image)

i'm sure i'm not the only one thinking this. somebody has jumped the shark. whether it's the analysts or the attackers themselves, i'm not sure, but the idea of gaming companies being targets of advanced persistent threats just seems absurd.

i can has exit?

found on senor gif

watch as this wild bird brain attempts to take flight to avoid being caged

Wednesday, April 10, 2013

how funny is that funny money now?

from here (source article)

thanks to nick owen for putting me on to this one

cat jumps over the security gate

found on i can has cheezburger

it just goes to show, even though something can be easily bypassed, that doesn't mean it won't still trip someone up.

Tuesday, April 9, 2013

midsomer memes

from here

here's a news flash for you - if you want to keep something on the down-low, don't use a communication format designed to spread things far and wide.

(inspiration)

being a defender can be fun

cursed treasure 2 (via ghacks)

one of the things tower defense games teach you is that no defensive measure works in all situations or against all adversaries.

Monday, April 8, 2013

if you commit the same computer crimes...

if you commit the same computer crimes you and your colleagues are trying to stop, you might be a security idiot
(inspiration)

bill maher on airport security



maybe, just maybe we shouldn't have laughed so much at the early airport security measures. no doubt the laughableness is what prompted the powers that be to make things so much worse.

Friday, April 5, 2013

digital 9/11

from here (inspired by @gattaca's tweet)

listening to fearmongering can get so tedious sometimes. i share dave's sentiment.

george carlin on airport security



don't hold back, george, tell us how you really feel.

Thursday, April 4, 2013

mobile security

from here (source image)

for all the bells and whistles in modern mobile security suites, none are this effective at preventing theft, and hopefully none are this user-unfriendly.

camouflage win

found on failblog

this was, at one point, labeled a camouflage win on failblog - and i would have to agree because i still have difficulty figuring out what i'm looking at.

Wednesday, April 3, 2013

flip flop security

from here (source image)

i dunno. maybe there's more going on here than meets the eye, but unless those are some really smelly sandals, this isn't going to stop anyone from stealing that bike.

advanced persistent threat to candy bars



some threats are more advanced and persistent than others. you're probably not going to be able to keep this guy out of your vending machines.

Tuesday, April 2, 2013

mcafee Y U NO hash passwords?

from here (source image)

thanks to dave lewis for tweeting this insanity. the password has a maximum length and can't contain special characters? yeah, that's because they're storing the passwords in plaintext - the database field has a space limit and special characters could lead to a SQL injection.

if they hashed the passwords like they're supposed to, neither of those problems would be an issue. and this from a supposed security company? more like an insecurity company. holy crap.

selecting the form of our downfall

found on memebase

normally i just go for the really funny memes, but this one actually got me thinking. a lot of time and energy and money has been invested in going after the easy online threats, the "low hanging fruit" if you will. how much have the sophisticated attackers benefited from that lack of attention? from a strategic point of view, would it not make sense to put the majority of our effort into the hard battles rather than the easy ones?

Monday, April 1, 2013

all fails are final

from here (source article)

thanks to steve werby for bringing this little lolthreat to my attention.

benign drive-by SQL injection

found on alfredo reino's blog

there was a drive-by SQL injection image featured here 2 years ago. gunter ollman recently ran across the picture and tweeted it and one of the responses he got pointed to this much more elegant example

EDIT 2013-04-02: i don't always add stuff after the fact, but when i do, it's usually funnier than what was there before

from here