[Editor's Note (Valle): We know that virtualization can be used for sand-boxing applications to test for malware and also create safe web browsing environments. Here is the flip-side of that technology.]

[Editor's Note: (Valle): I am seeing an interesting trend when I do my weekly research for articles on my RSS reader of 90+ security feeds.  I see that Searchsecurity.com's feed usually has only 1 or 2 articles (where the other feeds usually average about 20 posts a week) but I invariable pick one of their articles to post to this blog.  Keep up the great work searchsecurity and especially Ed Scoudis!]

Editor’s Note (Valle): We continue to see how the Internet’s beneficial attributes (distributed, redundant, open architecture, etc) are turned into critical vulnerabilities that have even the best security minds perplexed.

This is a great article on how some strong authentication techniques can actually make it easier for cybercriminals to rip you off if they are able to get an in-line proxy between you and your financial institution (aka man-in-the-middle attack)
http://www.darkreading.com/document.asp?doc_id=131191

Editor’s Note (Valle): Ever since I saw a company named TriCipher at a local ISSA meeting use a man-in-the-middle attack against a Charles Schwab account that was using two-factor authentication I have been wary of financial institution’s “secure” solutions.

[Editor's note (Valle): This technique is similar to anti-forensic methods use by cybercriminals to hide their true origins. The main difference is that fast-flux has a larger and more rapidly changing number of proxy servers to hide behind.]

1) Reliance on Manual Processes – Audit and compliance (A&E) staff monitor and test controls by depending almost exclusively on reports generated by others rather than software tools

2) Lack of Centralized Control – No clear ownership of compliance oversight or processes around reporting on and monitoring user access as well as fragmentation of data and distribution of responsibility are issues.

3) Poor Communication and Collaboration – A&E staff do not collaborate with departments that share IT compliance responsibility. Other departments have a poor understanding of risk management and compliance.

4) Inattention to Business Risk – Most organizations do not focus their compliance resources or efforts on risk and most say they do not have the necessary information to quantify risk

Computer Security Videos at Security-Freak.com

Google TechTalk Video “What every engineer needs to know about security”
http://www.net-security.org/secworld.php?id=5401
Interesting talk at Google

Make Mashups secure
http://www.infoworld.com/article/07/08/06/32FEmashsec_1.html
Important techniques to make your mashup more secure

Consumer Reports: Malware Costs US Consumer $7 Billion Over Two Years
http://www.darkreading.com/document.asp?doc_id=131056

Super All-in-one network security test system
http://www.eweek.com/article2/0,1759,2165270,00.asp?kc=EWRSS03129TX1K0000614
A start-up using HD Moore’s Metasploit technology and where he is the Director of Security Research is launching the mother of all network security test systems.

[Editor's Note (Valle): Another example of how difficult it is to write secure code and why security needs to be a top priority when creating new software. To this end the SANS Institute has recently created the GIAC Secure Software Programmer Certification (GSSP) which will be the first exam of its kind to test a developer's secure coding skills. http://www.sans-ssi.org/ ]

[Editor's Note (Valle): Since nobody passes security audits on the first try, it is good to learn from the wisdom of people who have been through it before.]

 Hackers Clean Up with Ajax
http://www.darkreading.com/document.asp?doc_id=128730
Web 2.0 technologies might be prettier to the end user but they are inherently more vulnerable.

NSA, DHS name top info assurance schools
http://www.fcw.com/article103179-07-09-07-Web
Don’t send your people to just any security school.

RFP: Penetration Testing
http://www.eweek.com/article2/0,1759,2155859,00.asp?kc=EWRSS03129TX1K0000614
A quick and dirty guideline for pen tests.