October 2004 Archives

Theere's a very interesting post over at Dana Epp's ramblings at the Sanctuary : B.C Privacy Commissioner says the USA Patriot Act violates privacy laws

I think one very interesting thing which this action may stir up, is given the apparent dichotomy between US privacy laws and the EU Data Protection Directive, why hasn't more action been taken by the various european data protection commissioners to ensure that data relating to EU citizens is properly handled when in the US. Right now the guidelines (at least what I've seen of them) seem fairly vague and not really in keeping with the level of rigour that the rest of the act's provisions have...

Over at the Microsoft Security Guidance Center, there's an interesting looking list of Microsoft security documents for free download (unfortunately to get the PDF's you need to register and give some information that seems pretty unrelated to the documents like your address)

Found a cople of links which give lots of useful information on windows processes like the detail of what each does. links here and here .

Of course you should always be cautious about assuming that just 'cause a process has a given name that it will do what is contained in lists like this, as it isn't too hard to create a binary with any given name, however useful info. all the same.

Here's an interesting questionnaire published by the world bank as an assessment methodology for organisational security.

I've not had a chance to go all the way through it in detail, but it looks like it's got some interesting ideas in it. However one thing that I'm not too keen on in it so far is the section structure. they seem to have sections at very different levels of detail. For example one section for authentication/access control, quite a large area to cover and then one specifically for active content control for Internet access, which is a very specific area to cover!

An interesting blog entry on Locking Down The Obvious: USB

I think it's a point well made. Essentially companies need to look at USB ports in the same way they look at CD-ROM's and floppy drives. If CD's and floppies are locked down then USB ports should be as well... although it is more challenging technologically as USB ports have wider range of functionality than CD-Drives, which makes it more likely that they will need to be enabled.

It also looks like software products are coming into the market to manage this kind of functionality where required. For example Reflex disknet pro looks like an interesting way of controlling access to removable media, including USB keys....

I found an interesting product called GroundWork.

However what was more interesting to me was the advert's they're using to attract customer, which are actively promoting the products open source background

"no proprietary hassles" and "open source flexibility" are 2 of the phrases from the ads.

I'd be interested to know how that approach works out for them, 'cause it's fairly opposed to what a lot of the research firms seem to say about open source, which is that big business finds the open source nature of the software a turn off...

The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: Security Management - October 2004

Another interesting article on passwords v passphrases

Password vs. Passphrase redux

Interesting article covering passwords and passphrases. I must say that personally I'm not too fond of trying to remember passphrases (I tend to forget how I punctuated them when I originally set them)...

One of the more interesting ways I've heard of for setting passwords was a friend of mine who uses the second letter each word of song lyrics which he's written himself ;op

the story over at Wired covers the news that american passports are going to get RFID chips...

As is mentioned in the story I don't really understand why they don't just use chips that require contact, thus reducing the risks that the chips is read by unauthorised persons considerably...

Also I can see the sales of passport holders that block RFID signals going through the roof!! (hmm wonder if I could patent that sharpish ;op)

Theres's a story over at Slashdot, covering the idea of a bootable USB based operating environment based on Damn Small Linux

I could see this kind of thing as quite handy if you wanted to use cybercafe's or other untrusted computers, without the risk of, software, spyware. Of course whether the cybercafe owners would be too happy with you booting one of their PC's of a USB memory stick is another matter.....

There's an interesting post over at Schneier on Security: Security Information Management Systems (SIMS).

This post touches on 2 current security issues, firstly managing the ever growing amounts of security-related log information and secondly the outsourcing of security related tasks.

On the subject of the use of outsoucers for security monitoring, I must say that I'm not wholly convinced that passing the information to a 3rd party is the best way to handle it. My reservations centre around the fact that someone who doesn't work for an organisation has a lot less information on which to base decisions relating to the information being analysed.

For example an internal log monitoring team will likely have more information about projects occuring within the company, and the location and roles of IT and other departments, which would help them decide whether a pattern of information in a log is an attack or just the result of a new service that's being tested.

In the large organisations I've seen it can be enough of a challenge for someone working for the company to know what's going on, on the network, for an outsider it can be next to impossible.....

An interesting advisory from Secunia - Multiple Browsers Dialog Box Spoofing Test, and another one here .

Goes to show that there are still vulnerabilities to be found, and also it's not just IE that has security issues...

There's a link to a very interesting over at Michael Howard's blog commenting that the Security issue of MSDN is out today.

The article linked from the posting is very interesting as well in that it talks about reducing attack surface.
On the whole, I'm really happy that this is getting focus from a company like Microsoft, because if anyone can make developers sit up and listen it's Microsoft (commercial one's 'cause they're all involved with Microsoft somehow, and Open Source one's 'cause if nothing else they'll be out to try and prove that they do it better than Microsoft ;op)

However that said I think that there's something missing from Microsofts definitions of how to reduce attack surface. In the article they mention 3 ways of helping to reduce attack surface

* Reduce the amount of code executing by default
* Reduce the volume of code that is accessible to untrusted users by default
* Limit the damage if the code is exploited

However I think they're should be a fourth, although it primarily relates to operating systems, it could also apply to other software.

* Reduce the amount of code installed.

This is important especially on operating systems the more code that is installed the higher the likelihood that some of it will have security vulnerabilities (especially if you follow the oft-quoted truism that there will be 1 security related problem in every 1000 lines of code).

I think this is important at the moment as you see both Microsoft and the Linux distribtution vendors shipping more and more code with their operating systems and the default install sizes going up and up. Well if nothing else that just causes a nasty patch management problem as, the more code you have deployed the more you have to patch..

I could follow on to a rant about the relative ease of removing unneeded software from servers (cough cough web browser cough cough), but I think I'll leave that for another day...

Well it's taken far longer than it should have to get this up and running again, but I've had some issues getting everything setup at the new house (and indeed this is still running through a bit of a hack, using Dynamic DNS, some redirection and some port forwarding.....

but t'was getting annoying not having this here, so I thought it better to get it up and running in this way rather than wait for the complete solution, as a result the domain name's not the same as was, so it'll be a little while before it's all working properly....