Security musings (reflectorium)
Security musings (reflectorium)
Saturday, January 31, 2004
Risk management for e-banking(0) comments
The "Basel Committee on Banking Supervision" published "Risk Management Principles for Electronic Banking" (July 2003). Nothing earth-shakingly new, but a good checklist for anyone working on an e-banking solution, or any similar beast. (Always good to run sanity-checks on yourself.)
Living with terror(0) comments
An interesting, although older article in CIO magazine that takes a look at how real big companies prepare for real big threats.. (or so they say)
Friday, January 30, 2004
NIST draft SP800-27 Rev A "Engineering Principles for Information Technology Security(0) comments
(A Baseline for Achieving Security)"
NIST released a new Special Publication Draft. As their material is usually very good and can be nicely re-used, it probably means additional week-end reading for most of us. Another stab at System Life-cylcle development security (SLCD)!
Thursday, January 29, 2004
Microsoft offers Security Awareness posters(0) comments
From a posting on http://groups.yahoo.com/group/security-awareness , mentioned by Gideon Rasmussen on cisspforum: Microsoft is offering 3 free security awareness posters in PDF format for immediate download as well as in a pack of 75 (25 ea). The URL for downloading/ordering is http://www.microsoft.com/education/?ID=SecurityPosters
(U.S. and Canada only) *sigh*
"Grand Research Challenges in Information Security & Assurance"(0) comments
A conference that took place last year and found some big strategic goals on what should really be improved. Good synopsis on the front page.
"The announcement provides information on the first of a series of
efforts to improve the cyber information available from US-CERT."
Please see Press Release located at:
Tuesday, January 27, 2004
US banking group BITS:guidelines for security in outsourcing (Excel sheet)(0) comments
BITS, a nonprofit industry consortium of the 100 largest financial institutions in the USA, offers guidelines on security in outsourcing. They are based on ISO17799 with additional input from members.
A long story on it is here on Computer World.
The actual guidelines (Excel) are in the Papers and Publications section of the BITS website. (Some other goodies there.)
Monday, January 26, 2004
Cartoons on IT security(0) comments
Have a look at this site for a more comical take at IT security awareness.
Well, at least I liked them...
Sunday, January 25, 2004
Simon Singh's "Code Book" and the Cipher Challenge(0) comments
Just finished reading Simon Singh's "Code Book", which I find a very entertaining read on the history of cryptography. He has some very entertaining details on the earlier history, inl. how weak encryption killed Mary Stuart. At the end of the book is a cipher challenge, that actually took on an interesting life of it's own. (Simon Singh has a really nice website.)
Actually, the story of how the Swedes solved the Cipher Challenge deserves a direct link "How we cracked the code book ciphers". (Great reading!)
New Special Publication Drafts from NIST(1) comments
NIST has some new drafts for Special Publications. They include "DRAFT Special Publication 800-30 Rev A, Risk Management Guide for Information Technology Systems" and "DRAFT Special Publication 800-27 Rev A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security)". - You can still comment until March 20, 2004.
Saturday, January 24, 2004
RFID soccer(0) comments
Researchers in Germany are working on putting RFID tags into ball and shoes/garb to help referees? - Interesting, but somehow odd story. (Don't they have constant TV surveillance already? And some thousands watching them?)
Thursday, January 22, 2004
INFOSEC Zeitgeist(0) comments
Abraham Usher analysed the topics that Information Security folks were particulary interested in (or appeared to be) over the past year - by looking at mailing lists, etc.. You can find his analysis at http://www.sharp-ideas.net/research/infosec_zeitgeist.html
Wednesday, January 21, 2004
NIST's Computer Security Incident Handling Guide available(0) comments
The National Institute of Standards and Technology (NIST) has released a Computer Security Incident Handling Guide (Special Publication 800-61).
You can find it at http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Monday, January 19, 2004
Cybercrime Law Survey(0) comments
"Cybercrimelaw.net is a presentation of penal laws on cybercrime around the world. The site currently contains information about the laws in 60 countries, including those preparing such legislation."
Links from CISSP-FFM meeting January 15th, 2003 in Wiesbaden (Germany)(0) comments
Here are some of the links that came up in our CISSP-FFM meeting the other day.
__Hot dates for BoFs:
06.02.2004 GI FG SecMgt. in Frankfurt/Niederrad
24.03.2003 TruSecure Event
5.-7.10.2004 InfoExchange CA in Mannheim
Sunday, January 11, 2004
Notes from the Chaos Communication Congress 2003(0) comments
The Chaos Communication Congress is an annual hacking conference organised by the Chaos Communications Club. I made it somewhat of a habit of going there "between the years". This year it was somewhat more fun, as we had a small CISSP-FFM BoF meeting around it.
- Below are my notes from the event.
(Some facts, also spelling, might be wrong.)
You can find more details on the Congress website.
Most workshops have been documented on video. 41 congress videos of the event are online.
Security Nightmares 2003
- embedded systens?
- hacks at WLAN spots (e.g. trains, airports)
arp-spoofing at airport lounge (took place [fr])
- zombies on consoles (lots) [didn't happen, or did it?)
- sichere Kontoinformationen an BaFin (KWG §24c) seit 1.4.03
- silent bugfixes (i.e. a seemingly small bugfix also fixes other serious holes)
- MS monthly patch cycle (provides for 0day prepartaion and sysadmin vacation planning)
- network scanning tools for symbian (nmap,..) (->atstake etc, oli whitehouse)
- fake mails
- oss server distro/dev compromises
- gpg el gamal fuckup
- physical security (two australian gov servers stolen)
- OpenSSH and OpenSSL --> wide_open...
- DDOS as commercial service in 2003 (from eastern Europe)
- "Content"-Viren, harmful code in Media-Daten
- voting machines issues
- US implements blinkenlights with regions.. (black-outs)
- problems with car key systems and wireless cash restaurant systems, lpd and (car key systems work at 433 MHz)
- etherreal overflows, kismet overflows (via malicious SSID)
--> aiba.org (sp?)[building hacking, bus ...]
Security Nightmares - future
- problems with IP-connected end-user devices
- automatic pushing of business cards (palms and bluetooth) .. on cebit 04
- superwormzz, malicious payloads .. (2 mins to format 14,000 out of 16,000 in simulated network?)
(worms speaking ABAP? [participant question])
- OSS develop infrastructure
- ERP on the Internet
- distributed computing "issues"
- ARP Spoofer hunt on airports
- exploits via VoIP/Videotelefonie (codec sourcen not sufficiently auditted, many buffer overflows..)
[voice spoofing][covert surveillance, open mikes..][patching...]
- Telephone systems (PBX)
- IPv6 (bypass IPv4 packetfilters, no need for NAT?? ...]
- vuln in online games (multiplayers, real money, ebay)
- instant messaging "issues"
- biometry (identity spoofing)
- voting machine massacre US presidential elections 2004 ?
- RFID-scare overdrive
(anti-personnel mines aimed at US army boot RFID tags? effects of RFID on money bills for robbers?)
Big Brother Awards
- Kunstschnee aus der Dose
Cryptophone (http://www.cryptophone.de )
- 1,800 Euro a system, but free PC software
- encryption in GSM very much broken
- expects amateur GSM sniffing within 2-3 years
- cheap sniffing hardware from india, russia
- because of FPGA chips more available, custom hardware cheaper, TWIRL
- TCG: must have RSA-2048 or better (TCG 1.2)
- SHA-1: too small output?
Windows Insecurity (Volker Birk) (his website and slides)
- shatter attacks (vs. personal firewalls)
- no security model between apps on IPC, DDE, ActiveX, COM, ...
- any process using window very vulnerable
Phenoelit (SAP exploit, Unicode wchar script)
- buffer overflow exploits in SAP A-Gate (4) and mySAP.com
- (SAP web software implementation flaws)
- venetian exploits, script
- search for "dark winter"
- access to flash, memory through testing interface (without running system)
- US VISIT program using JPEGs for finger print data? (no templates used?)
Calendar of security events (in German)(0) comments
RSS Feed now atom.xml!
Essential Security Web-Sites
Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
ARCHIVES11/01/2003 - 12/01/2003
/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010