Risk management for e-banking
The "Basel Committee on Banking Supervision" published "Risk Management Principles for Electronic Banking" (July 2003). Nothing earth-shakingly new, but a good checklist for anyone working on an e-banking solution, or any similar beast. (Always good to run sanity-checks on yourself.)
http://www.bis.org/publ/bcbs98.pdf   ¶ permanent link

  Living with terror
An interesting, although older article in CIO magazine that takes a look at how real big companies prepare for real big threats.. (or so they say)
http://www.cio.com/archive/021502/terror.html  ¶ permanent link

  NIST draft SP800-27 Rev A "Engineering Principles for Information Technology Security
(A Baseline for Achieving Security)"
NIST released a new Special Publication Draft. As their material is usually very good and can be nicely re-used, it probably means additional week-end reading for most of us. Another stab at System Life-cylcle development security (SLCD)!
http://csrc.nist.gov/publications/drafts/SP800-27-RevA-Draft.pdf  ¶ permanent link

  Microsoft offers Security Awareness posters
From a posting on http://groups.yahoo.com/group/security-awareness , mentioned by Gideon Rasmussen on cisspforum: Microsoft is offering 3 free security awareness posters in PDF format for immediate download as well as in a pack of 75 (25 ea). The URL for downloading/ordering is http://www.microsoft.com/education/?ID=SecurityPosters
(U.S. and Canada only) *sigh*   ¶ permanent link

  "Grand Research Challenges in Information Security & Assurance"
A conference that took place last year and found some big strategic goals on what should really be improved. Good synopsis on the front page.
http://www.cra.org/Activities/grand.challenges/security/home.html  ¶ permanent link

  US-CERT
"The announcement provides information on the first of a series of
efforts to improve the cyber information available from US-CERT."
Please see Press Release located at:
http://www.us-cert.gov/press_room/ncasrelease.pdf "
  ¶ permanent link

  US banking group BITS:guidelines for security in outsourcing (Excel sheet)
BITS, a nonprofit industry consortium of the 100 largest financial institutions in the USA, offers guidelines on security in outsourcing. They are based on ISO17799 with additional input from members.
A long story on it is here on Computer World.
The actual guidelines (Excel) are in the Papers and Publications section of the BITS website. (Some other goodies there.)  ¶ permanent link

  Cartoons on IT security
Have a look at this site for a more comical take at IT security awareness.
http://www.securitywizardry.com/cartoons.htm
Well, at least I liked them...
  ¶ permanent link

  Simon Singh's "Code Book" and the Cipher Challenge
Just finished reading Simon Singh's "Code Book", which I find a very entertaining read on the history of cryptography. He has some very entertaining details on the earlier history, inl. how weak encryption killed Mary Stuart. At the end of the book is a cipher challenge, that actually took on an interesting life of it's own. (Simon Singh has a really nice website.)
Actually, the story of how the Swedes solved the Cipher Challenge deserves a direct link "How we cracked the code book ciphers". (Great reading!)  ¶ permanent link

  New Special Publication Drafts from NIST
NIST has some new drafts for Special Publications. They include "DRAFT Special Publication 800-30 Rev A, Risk Management Guide for Information Technology Systems" and "DRAFT Special Publication 800-27 Rev A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security)". - You can still comment until March 20, 2004.  ¶ permanent link

  RFID soccer
Researchers in Germany are working on putting RFID tags into ball and shoes/garb to help referees? - Interesting, but somehow odd story. (Don't they have constant TV surveillance already? And some thousands watching them?)  ¶ permanent link

  INFOSEC Zeitgeist
Abraham Usher analysed the topics that Information Security folks were particulary interested in (or appeared to be) over the past year - by looking at mailing lists, etc.. You can find his analysis at http://www.sharp-ideas.net/research/infosec_zeitgeist.html  ¶ permanent link

  NIST's Computer Security Incident Handling Guide available
The National Institute of Standards and Technology (NIST) has released a Computer Security Incident Handling Guide (Special Publication 800-61).
You can find it at http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf  ¶ permanent link

  Cybercrime Law Survey
"Cybercrimelaw.net is a presentation of penal laws on cybercrime around the world. The site currently contains information about the laws in 60 countries, including those preparing such legislation."   ¶ permanent link

  Links from CISSP-FFM meeting January 15th, 2003 in Wiesbaden (Germany)
Here are some of the links that came up in our CISSP-FFM meeting the other day.
http://www.ccc.de/congress/
http://www.fdik.org/
http://www.phenoelit.de/whatSAP/
http://www.try2hack.nl/
http://ca.com/offices/germany/infoexchange/
http://reflectorium.blogspot.com/
http://www.cryptophone.de
http://www.despair.com/
http://www.demotivate.com/
http://www.internalmemos.com/memos/
http://messages.yahoo.com/yahoo/Business___Finance/index.html
http://isc.sans.org/
http://www.secmgt.de/
http://www.gi-fb-sicherheit.de/vg/informatik2003/sessions/workshop-sicherheitsmanagement/
http://www.nist.gov/

__Hot dates for BoFs:
06.02.2004 GI FG SecMgt. in Frankfurt/Niederrad
24.03.2003 TruSecure Event
5.-7.10.2004 InfoExchange CA in Mannheim
  ¶ permanent link

  Notes from the Chaos Communication Congress 2003
The Chaos Communication Congress is an annual hacking conference organised by the Chaos Communications Club. I made it somewhat of a habit of going there "between the years". This year it was somewhat more fun, as we had a small CISSP-FFM BoF meeting around it.

- Below are my notes from the event.
(Some facts, also spelling, might be wrong.)

You can find more details on the Congress website.
Most workshops have been documented on video. 41 congress videos of the event are online.

Security Nightmares 2003
- embedded systens?
- hacks at WLAN spots (e.g. trains, airports)
arp-spoofing at airport lounge (took place [fr])
- zombies on consoles (lots) [didn't happen, or did it?)
- sichere Kontoinformationen an BaFin (KWG §24c) seit 1.4.03
- silent bugfixes (i.e. a seemingly small bugfix also fixes other serious holes)
- MS monthly patch cycle (provides for 0day prepartaion and sysadmin vacation planning)
- network scanning tools for symbian (nmap,..) (->atstake etc, oli whitehouse)
- fake mails
- oss server distro/dev compromises
- gpg el gamal fuckup
- physical security (two australian gov servers stolen)
- OpenSSH and OpenSSL --> wide_open...
- DDOS as commercial service in 2003 (from eastern Europe)
- "Content"-Viren, harmful code in Media-Daten
- voting machines issues
- US implements blinkenlights with regions.. (black-outs)
- problems with car key systems and wireless cash restaurant systems, lpd and (car key systems work at 433 MHz)
- etherreal overflows, kismet overflows (via malicious SSID)

--> aiba.org (sp?)[building hacking, bus ...]

Security Nightmares - future
- problems with IP-connected end-user devices
- automatic pushing of business cards (palms and bluetooth) .. on cebit 04
- superwormzz, malicious payloads .. (2 mins to format 14,000 out of 16,000 in simulated network?)
(worms speaking ABAP? [participant question])
- OSS develop infrastructure
- SPAM
- ERP on the Internet
- UMTS
- distributed computing "issues"
- ARP Spoofer hunt on airports
- exploits via VoIP/Videotelefonie (codec sourcen not sufficiently auditted, many buffer overflows..)
[voice spoofing][covert surveillance, open mikes..][patching...]
- Telephone systems (PBX)
- IPv6 (bypass IPv4 packetfilters, no need for NAT?? ...]
- vuln in online games (multiplayers, real money, ebay)
- instant messaging "issues"
- biometry (identity spoofing)
- voting machine massacre US presidential elections 2004 ?
- RFID-scare overdrive
(anti-personnel mines aimed at US army boot RFID tags? effects of RFID on money bills for robbers?)
-


Big Brother Awards
- www.supervilainizer.ch

Toll-collect
- Kunstschnee aus der Dose

Cryptophone (http://www.cryptophone.de )
- 1,800 Euro a system, but free PC software
- encryption in GSM very much broken
- expects amateur GSM sniffing within 2-3 years
- cheap sniffing hardware from india, russia

RSA-1024 insecure
- because of FPGA chips more available, custom hardware cheaper, TWIRL
- TCG: must have RSA-2048 or better (TCG 1.2)
- SHA-1: too small output?

Windows Insecurity (Volker Birk) (his website and slides)
- shatter attacks (vs. personal firewalls)
- no security model between apps on IPC, DDE, ActiveX, COM, ...
- any process using window very vulnerable

Phenoelit (SAP exploit, Unicode wchar script)
- buffer overflow exploits in SAP A-Gate (4) and mySAP.com
- (SAP web software implementation flaws)
- venetian exploits, script
- ollydbg

bioweapons
- search for "dark winter"

JTAG
- access to flash, memory through testing interface (without running system)

Biometrics
- US VISIT program using JPEGs for finger print data? (no templates used?)


  ¶ permanent link

  Calendar of security events (in German)
Click here.   ¶ permanent link