Security musings (reflectorium)
Security musings (reflectorium)
Saturday, January 31, 2004
  Risk management for e-banking
The "Basel Committee on Banking Supervision" published "Risk Management Principles for Electronic Banking" (July 2003). Nothing earth-shakingly new, but a good checklist for anyone working on an e-banking solution, or any similar beast. (Always good to run sanity-checks on yourself.)  
(0) comments
  Living with terror
An interesting, although older article in CIO magazine that takes a look at how real big companies prepare for real big threats.. (or so they say) 
(0) comments
Friday, January 30, 2004
  NIST draft SP800-27 Rev A "Engineering Principles for Information Technology Security
(A Baseline for Achieving Security)"

NIST released a new Special Publication Draft. As their material is usually very good and can be nicely re-used, it probably means additional week-end reading for most of us. Another stab at System Life-cylcle development security (SLCD)! 
(0) comments
Thursday, January 29, 2004
  Microsoft offers Security Awareness posters
From a posting on , mentioned by Gideon Rasmussen on cisspforum: Microsoft is offering 3 free security awareness posters in PDF format for immediate download as well as in a pack of 75 (25 ea). The URL for downloading/ordering is
(U.S. and Canada only) *sigh*  
(0) comments
  "Grand Research Challenges in Information Security & Assurance"
A conference that took place last year and found some big strategic goals on what should really be improved. Good synopsis on the front page. 
(0) comments
"The announcement provides information on the first of a series of
efforts to improve the cyber information available from US-CERT."
Please see Press Release located at: "
(0) comments
Tuesday, January 27, 2004
  US banking group BITS:guidelines for security in outsourcing (Excel sheet)
BITS, a nonprofit industry consortium of the 100 largest financial institutions in the USA, offers guidelines on security in outsourcing. They are based on ISO17799 with additional input from members.
A long story on it is here on Computer World.
The actual guidelines (Excel) are in the Papers and Publications section of the BITS website. (Some other goodies there.) 
(0) comments
Monday, January 26, 2004
  Cartoons on IT security
Have a look at this site for a more comical take at IT security awareness.
Well, at least I liked them...
(0) comments
Sunday, January 25, 2004
  Simon Singh's "Code Book" and the Cipher Challenge
Just finished reading Simon Singh's "Code Book", which I find a very entertaining read on the history of cryptography. He has some very entertaining details on the earlier history, inl. how weak encryption killed Mary Stuart. At the end of the book is a cipher challenge, that actually took on an interesting life of it's own. (Simon Singh has a really nice website.)
Actually, the story of how the Swedes solved the Cipher Challenge deserves a direct link "How we cracked the code book ciphers". (Great reading!) 
(0) comments
  New Special Publication Drafts from NIST
NIST has some new drafts for Special Publications. They include "DRAFT Special Publication 800-30 Rev A, Risk Management Guide for Information Technology Systems" and "DRAFT Special Publication 800-27 Rev A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security)". - You can still comment until March 20, 2004. 
(1) comments
Saturday, January 24, 2004
  RFID soccer
Researchers in Germany are working on putting RFID tags into ball and shoes/garb to help referees? - Interesting, but somehow odd story. (Don't they have constant TV surveillance already? And some thousands watching them?) 
(0) comments
Thursday, January 22, 2004
  INFOSEC Zeitgeist
Abraham Usher analysed the topics that Information Security folks were particulary interested in (or appeared to be) over the past year - by looking at mailing lists, etc.. You can find his analysis at 
(0) comments
Wednesday, January 21, 2004
  NIST's Computer Security Incident Handling Guide available
The National Institute of Standards and Technology (NIST) has released a Computer Security Incident Handling Guide (Special Publication 800-61).
You can find it at 
(0) comments
Monday, January 19, 2004
  Cybercrime Law Survey
" is a presentation of penal laws on cybercrime around the world. The site currently contains information about the laws in 60 countries, including those preparing such legislation."  
(0) comments
  Links from CISSP-FFM meeting January 15th, 2003 in Wiesbaden (Germany)
Here are some of the links that came up in our CISSP-FFM meeting the other day.

__Hot dates for BoFs:
06.02.2004 GI FG SecMgt. in Frankfurt/Niederrad
24.03.2003 TruSecure Event
5.-7.10.2004 InfoExchange CA in Mannheim
(0) comments
Sunday, January 11, 2004
  Notes from the Chaos Communication Congress 2003
The Chaos Communication Congress is an annual hacking conference organised by the Chaos Communications Club. I made it somewhat of a habit of going there "between the years". This year it was somewhat more fun, as we had a small CISSP-FFM BoF meeting around it.

- Below are my notes from the event.
(Some facts, also spelling, might be wrong.)

You can find more details on the Congress website.
Most workshops have been documented on video. 41 congress videos of the event are online.

Security Nightmares 2003
- embedded systens?
- hacks at WLAN spots (e.g. trains, airports)
arp-spoofing at airport lounge (took place [fr])
- zombies on consoles (lots) [didn't happen, or did it?)
- sichere Kontoinformationen an BaFin (KWG ยง24c) seit 1.4.03
- silent bugfixes (i.e. a seemingly small bugfix also fixes other serious holes)
- MS monthly patch cycle (provides for 0day prepartaion and sysadmin vacation planning)
- network scanning tools for symbian (nmap,..) (->atstake etc, oli whitehouse)
- fake mails
- oss server distro/dev compromises
- gpg el gamal fuckup
- physical security (two australian gov servers stolen)
- OpenSSH and OpenSSL --> wide_open...
- DDOS as commercial service in 2003 (from eastern Europe)
- "Content"-Viren, harmful code in Media-Daten
- voting machines issues
- US implements blinkenlights with regions.. (black-outs)
- problems with car key systems and wireless cash restaurant systems, lpd and (car key systems work at 433 MHz)
- etherreal overflows, kismet overflows (via malicious SSID)

--> (sp?)[building hacking, bus ...]

Security Nightmares - future
- problems with IP-connected end-user devices
- automatic pushing of business cards (palms and bluetooth) .. on cebit 04
- superwormzz, malicious payloads .. (2 mins to format 14,000 out of 16,000 in simulated network?)
(worms speaking ABAP? [participant question])
- OSS develop infrastructure
- ERP on the Internet
- distributed computing "issues"
- ARP Spoofer hunt on airports
- exploits via VoIP/Videotelefonie (codec sourcen not sufficiently auditted, many buffer overflows..)
[voice spoofing][covert surveillance, open mikes..][patching...]
- Telephone systems (PBX)
- IPv6 (bypass IPv4 packetfilters, no need for NAT?? ...]
- vuln in online games (multiplayers, real money, ebay)
- instant messaging "issues"
- biometry (identity spoofing)
- voting machine massacre US presidential elections 2004 ?
- RFID-scare overdrive
(anti-personnel mines aimed at US army boot RFID tags? effects of RFID on money bills for robbers?)

Big Brother Awards

- Kunstschnee aus der Dose

Cryptophone ( )
- 1,800 Euro a system, but free PC software
- encryption in GSM very much broken
- expects amateur GSM sniffing within 2-3 years
- cheap sniffing hardware from india, russia

RSA-1024 insecure
- because of FPGA chips more available, custom hardware cheaper, TWIRL
- TCG: must have RSA-2048 or better (TCG 1.2)
- SHA-1: too small output?

Windows Insecurity (Volker Birk) (his website and slides)
- shatter attacks (vs. personal firewalls)
- no security model between apps on IPC, DDE, ActiveX, COM, ...
- any process using window very vulnerable

Phenoelit (SAP exploit, Unicode wchar script)
- buffer overflow exploits in SAP A-Gate (4) and
- (SAP web software implementation flaws)
- venetian exploits, script
- ollydbg

- search for "dark winter"

- access to flash, memory through testing interface (without running system)

- US VISIT program using JPEGs for finger print data? (no templates used?)

(0) comments
  Calendar of security events (in German)
Click here.  
(0) comments

Me enjoying a "Mate-Club", Alt-Landsberg near Berlin, summer 2003.

RSS Feed now atom.xml!
My public bloglines universe

Essential Security Web-Sites
Internet Head Up Display, Internet Storm Center incl. Handler's Diary on Virii and Security - Messagelabs stats, Trendmicro, Symantec, CAI, McAffee, F-Secure -- securityfocus, packetstorm

Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.
11/01/2003 - 12/01/2003
/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010

Powered by Blogger

related blogs: general and family research