RealSecurity

It's done! After several years of writing, starts and stops, and modifications to really tune the content, I've finally completed my third book; and it's now in the more than capable hands of Auerbach Publications.

The book hits the shelves November 18th and you can pre-order a copy from sites like Amazon. Also, look for me speaking at various security events early next year and I'll have copies to hand out. I'm always interested in feedback, and if you have some use the "Email Jim" link above.

When attending the InfoSec Security Conference in Orlando last week I had the opportunity to sit down with Rich O’Hanley, editor in chief for CRC Press, and Stephen Fried, author of “Mobile Device Security” to talk about my book.

Chris Evans of Google Chrome Security announced on a blog post last Thursday they will pay $500 to anyone reporting interesting vulnerabilities with Chrome. And with a little wink to the hackers, a potential reward of $1337 is being considered for the really interesting findings. The question it seems that has been raised is: is it a good idea or is Google subsidizing the development of tomorrow’s hackers?

BlackHat has been around for a while and become very popular as a platform for researches to expose their interesting research in the discovery of foundation-shattering vulnerabilities. Although this type of exposure occurs in other “hacker” events, the media focus on BlackHat is unparalleled making it a well publicized event. Although it’s just getting started, a couple disrupting things have already been presented.

Released today, an unclassified report on Bush's Presidential Surveillance Program (PSP) written by the Office of Inspector General of the DoD, DoJ, CIA, NSA, and Office of the Director of National Intelligence. In short, Congress mandated an investigation to ultimately determine the legal precedence of the PSP, which involved massive collection of communications within and beyond the US.

I spoke at an event this week (6/19/09) in Tampa, Florida. The Tampa Bay Chapters of ISSA, InfraGard, and ISACA hosted an all day event at the Tech Data Corporation headquarters in Clearwater. A few folks asked for a copy of the presentation I gave becasue I think it struck a chord with some of the audiance.

There has been a great deal of industry static about Microsoft’s WMF vulnerability and the giant’s reaction to the critical gaping hole. In short, the WMF vulnerability provides the opportunity for a hacker to embed code in an image. When that image is displayed in a browser, document, e-mail, or whatever, the code is executed. It’s important to understand that the user did nothing unordinary for this to occur. Just going to a site with one of these "trojaned" images is enough. Clearly, this has significant implications and will be with us for some time.

In February of this year the OpenGroup established a new forum called Jericho, whoes vision is focused on developing and promoting a new security architecture, one devoid of a perimeter and referred to as de-perimeterization.