Password-protection of Lotus Notes IDs
Technical reference and a tool for cracking/brute-forcing/testing.
  ¶ permanent link

  Infosurance
Dedicated search engine and infolandscape maintained by the ETH Zürich.
(incl. Critical Infrastructures, etc.)
http://www.isn.ethz.ch/infosurance/  ¶ permanent link

  Open Source Methodologies for Security Testing
I went to a FIST conference the other day in Frankfurt (at the university there). It took from 18:00 to 21:00, a bit more than a dozen people in attendance (incl. Alberto from CISSP-FFM!).
From the invitation: "FIST Conferences are free and open events where to present and talk different aspects of Penetration Testing and Information Security. Presentation of recent conferences in Madrid, Bombay, Delhi, Bangalore, Pune are available here....

• http://groups.yahoo.com/group/PenTest/files/Presentation-Archives/
  
• http://personal.telefonica.terra.es/web/smm/fist.htm"
  

"
The final agenda was

• Introduction - by Frank Sadowski, Cordinator OISSG Frankfurt and Balwant Rathore from OISSG
  
• Information System Security Testing Framework (ISSTF) draft - by Balwant Rathore, CISSP from OISSG
  
• ISSTF Web Application Security Testing Approach by Frank Sadowski

We had good discussions, especially on the risks in penetration testing and the overall need for a good methodology for Web Services testing. - I went away with the feeling that while penetration testing is at times "appealing" to management, from my point of view it has its shortcomings:

• Penetration test findings are often wiped away by the IT dept., with a simple "ok, we'll patch the servers then"
  
• You really test the skills/abilities of the pen testers, not the environment.
  
• Noone can tell whether spending 100,000 USD instead of 20,000 USD has an added benefit.

Interesting enough, there are other (rival?) groups pondering open methodologies for security testing, e.g.

• http://www.osstmm.org, e.g.
  http://isecom.securenetltd.com/osstmm.en.2.9.wireless.pdf,
  see their repository http://www.isecom.org/public_repository.shtml
  
  
• or http://www.owasp.org/ (for web services)

---
http://www.ncjrs.org/
http://virlib.ncjrs.org/lawe.asp?category=48&subcategory=193
Electronic Criime Scene Investigations - Guide for first responders
http://www.ncjrs.org/pdffiles1/nij/187736.pdf
---
WS-I releases Web Services Security Scenarios
http://www.ws-i.org/
http://www.techweb.com/wire/story/TWB20040225S0014
http://www.ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf
  ¶ permanent link

  Comparison Cobit vs. ITIL vs. ISO17799
.. strengths and weaknesses of each and which one to look at if in need of XYZ..
http://www.itsmf.org.za/Presentations/CobiT%20ITIL%20and%20BS7799.pdf  ¶ permanent link

  Misinformation in Security Advisories (ASN.1)
Bugtraq carried a very good posting by John Compton, that aims to clarify some misunderstandings.
http://www.securityfocus.com/archive/1/354034  ¶ permanent link

  Just a really nice day at home
I just had a really nice day at home playing with my nephews-to-be..   ¶ permanent link

  I'm a CISM.. =)
The letter from ISACA with the certificate just arrived. I'm now a Certified Information Security Manager (CISM), which goes nicely with my Certified Information System Security Professional (CISSP) from (ISC)2.
- This makes me feel a bit strange and reminds me of the time I spent in the USA. It also makes me feel old and awkwardly aware that my CISSP three year anniversary is in March. "Stefan Keller, CISM, CISSP" or "Stefan Keller, CISSP, CISM"? - It's still an uncommon thing to boast certifications in Germany..
I hope it shows that I really enjoy working in the security field. (I think it will be the last cert. for some time..)  ¶ permanent link

  Another good security blog: Randy Bias   ¶ permanent link

  [CISSP-FFM] Notes from the CISSP-FFM Meeting, 15.01.2004
Just to wet the appetite of anyone in the greater Frankfurt (Germany) area.

The next meeting is planned to be Friday, 20.02.04 with Ernst&Young in Eschborn (Thank you Marcus!).
The next Bird-of-Feather event is the GI security management workshop this Friday, 06.02.04, in Frankfurt.

This one was a long meeting in Wiesbaden. We started at 19:30 and kept talking until 00:30 - which raised some concern for the safety of the Daimler folks that had to drive home all the way to Stuttgart. We quickly discussed whether we wanted any membership fees (no), and then moved on to a review of the Chaos Communication Conference in Berlin (Dec 27-29). We went through several presentation slides from the conference and the CISSP-FFMers that went there presented the key findings there. (see separate mail to the list) Marcus Rubenschuh gave a presentation on the German results of the E&Y's Information Security Survey. We then discussed the impact of Spam, the current situation and possible future scenarios. We then went through the slides to a NIST workshop on security metrics. There was criticism on the overall lack of good examples. We also did a brainstorm on future Birds-of-feather sessions around upcoming events, possible locations/calendar for the next events and a wish-list for field trips .. .

So please do join the fun: CISSP-FFM mailing list CISSP-FFM@Balrog.DE
Public Webinterface to subscribe and unsubscribe: http://AEble.DynDNS.ORG/cgi-bin/mailman/listinfo/cissp-ffm

  ¶ permanent link

  Netcraft's humorous DNS education on MyDoom, DDOS..
..quotes five solutions and is titled "www.sco.com is a weapon of mass destruction".
http://news.netcraft.com/archives/2004/01/30/wwwscocom_is_a_weapon_of_mass_destruction.html  ¶ permanent link

  Freeware sites: snapfiles
  ¶ permanent link

  The nuclear boy scout
This is an older story, but I do like it a lot. From Harper's Magazine, Nov 1998: "The radioactive boy scout: when a teenager attempts to build a breeder reactor. (case of David Hahn who managed to secure materials and equipment from businesses and information from government officials to develop an atomic energy radiation project for his Boy Scout merit-badge)"   ¶ permanent link

  Cccure.org (The CISSP Open Study Guides Web Site)
Cccure.org (The CISSP Open Study Guides Web Site) has a online copy of the Handbook of Information Security Management as well as a variety of other good resources.
  ¶ permanent link