Tuesday, September 9, 2014

 

Vienna DevOps & Security and System Architects Group meetup summary - Sept 9, 2014

Some twenty developers and security experts gathered at the Stockwork Coworking Space for today´s joint Vienna DevOps & Security and System Architects Group meetup http://meetu.ps/2v2DGg.

Best practices for AWS Security

Philipp Krenn (@xeraa) nicely explained the fundamental risks of AWS services:
Starting services on AWS is easy. So is stopping.

Recent incidents show that a compromised infrastructure can cause more than short disruptions. Several companies went out of business when not only their online services but also data stores and backups were gone:
(Some) recommendation for using AWS services:
  • Lock away the root account. Never use this account for service or action authentication, ever.
  • Create an IAM user with a password policy for every service or action to limit damage in case an API key gets compromised.
  • Use groups to manage permissions.
  • Use two-factor authentication (2FA) using Google Authenticator.
  • Never commit your credentials to a source code repository.
  • Enable IP restrictions to limit who can manage your services even with an API key.
  • Enable Cloudtrail to trace which user triggered an event using which API key.
Other cloud security providers may offer different security features

The (fancy!) slides are available here: https://speakerdeck.com/xeraa/i-am-what-iam-for-devops-vienna

ISO 27001 - Goals of ISO 27001, relation to similar standards, implementation scenarios

Roman Kellner, Chief Happiness Officer :-) at @xtradesoft, gave an overview of the ISO 27001 and related standards:
  • ISO 27001:2013 Information Security Management System (ISMS) Requirements
  • ISO 27002:2013 Code of Practice
  • ISO 31000 Risk Management
Information security management is not limited to computer security; it is equally relevant for paper documents, human knowledge, etc.

The structure of ISO 27001 looks somewhat similar to ISO 9001 Quality Assurance, including the monitoring and continuous improvement loop of Plan-Do-Check-Act (PDCA).

For a successful implementation and certification, the ISO 27001 efforts must be supported and driven by the company leadership

The third talk about Splunk unfortunately had to be postponed.

Labels: , , , ,

Monday, September 1, 2014

 

Removing thumbnails from JPEG images

JPEG images downloaded from a digital camera often contain thumbnails in the EXIF metadata, which Windows 7 appears to use for the thumbnails shown in folders.

Unfortunately not every image editor also updates the thumbnails. As a result, changes to images are only visible on the full image, not on the thumbnail preview.


That's where the marvelous ExifTool library and command-line application by Phil Harvey come into play. This one-liner removes the thumbnail image and related size information, and sets the file modification timestamp to the capture timestamp:

exiftool -if "$exif:IFD1:XResolution" "-filemodifydate<datetimeoriginal" -ext jpg -IFD1:all= %*

Combined with Matt Ginzton's CmdUtils, the full batch script for Windows removes image backup copies before and after processing:

@echo off
if exist *.JPG_original recycle -f *.JPG_original
exiftool -if "$exif:IFD1:XResolution" "-filemodifydate<datetimeoriginal" -ext jpg -IFD1:all= %*
if exist *.JPG_original recycle -f *.JPG_original

Labels:








Page tools



Archives