Monday, September 30, 2013

My Review of "Practical Anonymity" by Peter Loshin

"Practical Anonymity" by Peter Loshin

Despite only giving it a 3 star review...Let me start with...This is not a bad book.

It did confuse me in several ways. Firstly, despite the title, this is not a book on remaining anonymous on the Internet. This is predominantly a book on setting up and using Tor to permit you to be anonymous on the Internet. The last chapter briefly covers anonymous email, but the vast majority of the book covers Tor.

Secondly, I was confused about what the target audience is. If aimed at the lay person who is worried about anonymity than it is too deep and will scare all but the most persistent off. If aimed at the technical user who wants to understand the detailed inner workings of Tor, then it is probably falls short. It does provide a fairly comprehensive discussion of the basics of Tor applicable to the novice user. This is a small portion of the book however. The majority of this book is a more detailed overview of the various features of Tor and how to set them up which is suitable to a more technical audience.

Thirdly, this book suffers from inconsistent editing, periodically repeating concepts a couple of paragraphs or pages apart, often with almost identical phrasing.

That said, the book is easy to read and reasonably well organized. The coverage of Tor is very complete and far easier to read than the Tor documentation.

If you are moderately technical and are looking for a book on the capabilities of Tor, then this is a good book to start with. If you are a computer user looking to for a way to stay anonymous on the Internet, then the first few chapters are good, but probably not worth buying the whole book. You would probably be better off with the introductory Tor documentation.

My overall rating...3 stars

Tuesday, July 19, 2011

B-Sides SK anyone?

We haven't had a good security conference in the SK in a while...so let's make one! Anybody interested in helping (organizing, speaking, sponsoring, etc.) with a Security B-Sides event in Regina please contact me. I would like to try and roll one up for spring.

For those of you not familiar with the Security B-Sides concept here is their website with an explanation.

Friday, March 04, 2011

Zoneinfo-Arthur David Olson is retiring

It is geek out Friday for me. In the spirit of weird things that interest me I found a reference to Arthur David Olson retiring. For those of you who have never heard of the esteemed Mr. Olson. Any *nix geek is aware of the database that is used to tell your computer when to switch to/from daylight savings time. If you thought that this database was maintained by some central authority somewhere, as most people do, you couldn't be more incorrect. Arthur David Olson is the founder and maintainer of the Zoneinfo or tz database which is used by computer systems everywhere to determine when to switch to and from DST. He created it, and has maintained it as a labour of love since its inception. He has suddenly become a bit of a celebrity because he is retiring and IANA is scrambling to take over ownership of this important function.
But while that in itself is interesting what is even more interesting is that the tz database is not just a boring database of rules for timezones, it is a historical compendium of timezone rules and the history behind them dating back hundreds of years. Given that it is just a plain-text file, anyone can read this history. Some of it is very intriguing. A brief description of some of the nuggets in the database can be found at Jon Udell's Blog or you can download a copy to peruse at nih.gov.

Friday, September 24, 2010

Seth Godin on the Fear Tax

An excellent blog article by Seth Godin on the "Fear Tax".  Hopefully a few more people will "get it".

Saturday, September 18, 2010

This hits way too close to home!

This xkcd hits way too close to home...

http://xkcd.com/792/

Enjoy!

Tuesday, December 29, 2009

How safe are your browser passwords?


Are you one of those people who stores all of your web logins in your browser? I have had lots of people tell me that it is unsafe to store your userids and passwords in your browser. But not being one to take other people’s word for it I decided to test it myself.

Firefox


Firefox stores passwords on a per profile basis in a file called signons.sqlite, the userids and passwords stored in that file are base-64 encoded using a key stored in key3.db. Note that I said encoded, not encrypted. Encoded means that anyone with access to signons.sqlite and key3.db

can reverse the encoding to reveal the userids and passwords. There are several tools available to do just that. Below is a screenshot from Password Fox one of the so-called password recovery tools that decode Firefox passwords. As you can see it displays both the userid and the password.





If you have access to the browser you don’t even need one of the recovery tools. If you go into the Tools -> Options -> Security screen there is a “Saved Passwords” button which will gladly show you the userids and if you click the “Show Passwords” button, the passwords as well.




One of the other features of Firefox is the ability to add a master password. The master password is used to encrypt the userids and passwords in the password store. The master password must be provided when you start Firefox and is used to decode the userids and passwords as required. This means that without the master password that the “password recovery” tools like Password Fox can still tell what sites you have stored, but can’t view the userids or passwords.





There is another advantage of setting a master password. With a master password set when you click the “Saved Passwords” button you must enter the master password before the you can view the stored information.

Of course, there are a number of tools out there to “recover” the Firefox master password. Under the covers these tools are all brute force engines.

What this tells me is that if you use a high quality password, or better yet a high quality passphrase there shouldn’t be any real risk to storing your Internet userids and passwords in Firefox.

Internet Explorer


Ok, I am a Firefox user normally, so I haven’t spent a whole lot of time on IE. But here is a quick overview.

Unfortunately Internet Explorer suffers from the same problems. IE PassView is one of many tools that can display Internet Explorer Passwords.



Unfortunately as far as I know IE 8 does not appear to have a master password or provide any other way to encrypt the userids and passwords.

Summary


In a nutshell; I wouldn't store userids and passwords in Internet Explorer. I feel safe enough with storing userids and passwords in Firefox as long as a strong passphrase is used as a master password to encrypt them.

Of course there is still the issue of what the browsers do with passwords in memory. Perhaps that is research for another day, but for the moment I think I am prepared to take that risk.

Saturday, July 11, 2009

Interesting Post on Data Breaches

A little behind in my reading...I just read a post by Bryan Sartin at VerizonBusiness.com. The post is a good read, but one thing stuck with me. Bryan states...

"I would estimate that payment cards represent as little as 1.2 – 1.5 percent of all data thefts. The remaining 98.x percent being occupied primarily by personally identifiable data (PII), then account credentials, company-proprietary data, and a few other categories in a distant fourth and fifth by incidence...When stolen, payment card data tends to lead to fraud. That’s the whole point of stealing it. The ensuing fraud is detectable and fraud analysis and detection tools have made it almost elementary to identify the likely source of a suspected payment card breach for almost 10 years."

The point is that compromises of payment card information are rarely detected by the company who breached the card information. Rather the breach is detected by the payment card industry and traced back to the company due to the fraud and tools utilized by the payment card industry.

No similar capabilities exists to trace the source of personally identifiable information, account credentials, intellectual property and other lost information.

Would you even know if your company was breached?

Sunday, May 17, 2009

Seth Godin on Tribes

Somebody recently put me on to the TED talks. I have been through several but one that has intrigued me is Seth Godin on Tribes. In a nutshell what Mr. Godin is talking about is that the Internet provides anyone with an impassioned cause the capability to create a movement or a tribe of people to spread your message.

Definitely worth a listen.

Wednesday, February 04, 2009

Mandiant Memoryze Review and other free Mandiant Tools

In followup to my ISC diary of January 2nd. Russ McRee of holisticinfosec.org has published his review of Mandiant's Memoryze tool. Russ was so impressed with Memoryze he awarded it the 2008 Toolsmith Tool of the Year!

For those of you who didn't read the first diary...Memoryze is a free tool from Mandiant to assist with Windows memory analysis. It is one small piece of Mandiant's Mandiant Intelligent Response (MIR) product, released for public consumption

Russ's review can be found at http://holisticinfosec.org/toolsmith/docs/february2009.pdf

Another outstanding free tool released by Mandiant in the last few weeks is Hilighter. Hilighter is a tool that assist in the viewing and analysis of log files and other text files. I have only played with it a little bit, but so far I am very impressed.

Mandiant has other free incident response tools available on their website as well:

Red Curtain - helps find and analyze unknown malware

Web Historian - assists with review of websites found in browser history files

First Response - incident response management software

If these first few releases are any indication it appears that the Mandiant folks are committed to providing top quality free tools to the incident response community.


Enjoy!

Friday, January 09, 2009

The Academy...Home!

Sometimes an idea comes along that was so obviously needed that you wonder why you didn't think of it yourself. One of those ideas is The Academy!

Because of very persistent marketing most people in the security industry have heard of The Academy. Peter Giannoulous has done an amazing job of promoting his security video website in an almost viral way using all sorts of Web 2.0 from Linkedin to Twitter and everything inbetween.

Now Peter has gone one step further, launching The Academy Home. This site has the same general idea...videos on how to configure security...but the audience is much different. The Academy Home is aimed at the average computer user. Finally a good quality security website aimed at your parents and grandparents who are not savvy computer professionals and sorely in need of good quality, knowledge appropriate guidance.

So please help make this endeavour successful! Let all of your non-tech-savvy friends and relatives know about The Academy Home. Maybe you will even get a couple of nights off from tech-support. (-8

SANS Log Management Survey

I don't make personal pleas often, but this is something I truly believe can be significant in the security industry.

SANS is surveying individuals on log management practices in their organizations. The more people who take the survey the more useful the results. so please give up 10 minutes of your time to complete the survey. Even if you have not yet started a log management project...please take the survey...your information is at least as important as those who have, if not more.

Thanks in advance!

Tuesday, December 30, 2008

25C3: MD5 Collisions and SSL Certs


At the Chaos Computer Congress currently on in Berlin, a group of researchers have described an attack that utilizes MD5 collisions to create an intermediate Certificate Authority which would permit them to act as a Man-in-the-Middle in SSL transactions. While a lot of effort went into creating a huge hype for this announcement, the short answer is that the Internet is not dead yet.

That said, this is a potentially serious attack. It permits somebody who is capable of generating an MD5 collision to effectively impersonate any SSL enabled website.

There is very little the end user or any website administrator can do. The solutions to this attack lie with the certificate providers...who must stop issuing MD5 signed certs. Verisign has announced that they are no longer issuing MD5 signed certs, others will follow quickly.

If you are an administrator of an SSL enabled web server or application you should take a look at your cert and see if it is signed with MD5 or SHA-1. If it is MD5, it would not be a bad idea to replace it with a new one signed with SHA-1. This will not prevent this particular attack; even if you have a SHA-1 signed cert someone could impersonate your site using an MD5 signed cert; but it will go a long way to putting a nail in the coffin of MD5 signed certs once and for all.

How do you tell? Connect to each of your SSL enabled sites and double click on the padlock in the bottom right corner. Click "View Certificate", click the details tab, scroll all the way down to the bottom and click on "Certificate Signature Algorithm" It should say "PKCS #1 SHA-1 With RSA Encryption" or something similar. If it says MD5 then I recommend calling your cert issuer and requesting a new one signed with SHA-1.

Saturday, September 20, 2008

New (to me) nmap features!

I spent a little time today catching up on some emails I filed away for future reading. One of the emails that caught my attention was a write up on Fyodor's announcement at Defcon of new features in the new version of Nmap (was 4.75, 4.76 is out now) and the subsequent email from Fyodor on the nmap-hackers list. A few of these features caught my attention.

The first one is -top-ports. Essentially Fyodor and company spent the summer scanning the Internet and doing some research classified all the TCP and UDP ports by frequency found open.

According to their research

nmap -top-ports 10

will give you about 50% of the open ports and

nmap -top-ports 1000

will give you approximately 94% of the open ports.

The biggest difference is from a reconnaissance point of view. With the older nmap versions if you just let nmap loose with the default set of ports

nmap -sS -sU

nmap would scan over a thousand TCP and UDP ports. It wasn’t quick against one IP, it was interminably slow against a large IP range. For this reason most pentesters have a small range of 20-50 ports they used to discovery scans. With – top-ports this is largely superfluous, although their may be reasons you might want to add extra ports based on the environment being scanned.

Another option that came out of this research is the Fast Scan option (-F).

nmap -F

is perfect for discovery scans. It scans the top 100 ports of each protocol, increasing the speed from the default behaviour by an order of magnitude.

Taking a slightly different direction...I have always been an nmap command line bigot. This is partly because I have used nmap from the days when all that was available was the command line. Another reason is that I have never found an nmap GUI that I liked. Some of the new features in Zenmap have me re-evaluating that.

The two that got my attention are scan aggregation and mapping.

In short, scan aggregation is a feature that combines all scans performed from the same Zenmap window. This permits incremental scans, and analysis of the combined scan. Here is a screen shot of a couple of scans aggregated in Zenmap:

The mapping feature I still find a little lightweight, but it is an outstanding start. Here is the map from the same scan.

Some more detailed sample maps and a feature description are available at http://nmap.org/book/zenmap-topology.html.

There are other features that I haven't had time to look at yet, such as improved OS detection, rate limiting, and many, many, more.

Now if I can just get past my fear that nmap on Windows is somehow less accurate than nmap on *nix.

Friday, August 29, 2008

Cool: New Nmap features

Fyodor is God!!

Seriously...thanks to the Google Summer of Code and the hard work of Fyodor there a bunch of new and way cool features coming in nmap.

Sunday, May 04, 2008

Declaration of Independence

Those who know me rapidly learn that I am not cut from the same cloth as the average person. I consider myself eccentric, intelligent, logical, and at the same time creative. I am not a good sheep, I can't settle for conformity, I challenge the status quo, and feel sorry for people who are willing to accept their lot in life without attempting to improve it.

While not directly security related, Pamela Slim has assembled a flash movie that closely resembles my philophy on life, and is one of the most inspirational pieces I have seen in a long time. While she is trying to push the viewers towards entrepreneurial endeavours, the attitude and lifestyle she is proposing is very applicable to my life and should be applicable to most security practitioners lives. This is not an industry that is made for people who are willing to accept the status quo, but rather for those who creatively look for solutions and push the envelope of technology and conventional thinking.

Hope you enjoy it!
Rick

Wednesday, January 09, 2008

Stephen Northcutt weighs in on security predictions (sort of)!

An interesting and somewhat inciteful posting by Stephen Northcutt, the boss over at the SANS Technical Institute. Instead of doing his own predictions he has "borrowed" others.

I would like to take a chance to comment on some of these:

"Apple Will Gain Significant New Market Share"
While I expect that Apple will gain market share (I know I am hoping to go back to one), I can't see it being huge over the long term. The problem is that the people who are going to Apple are tech-savvy people looking for something better, and I expect will also have a Windows computer around. The problem is the "unwashed masses" don't have the ability to realize that there should be something better than Windows, nor are they prepared to look past the mountains of software available for Windows to make an informed decision to go to a computer system which is easier to use and easier to live with.

Information Centric Security Phase One
I have been trying to convince people to make this shift for years. Unfortunately through whatever fault decison makers aren't prepared to look past security FUD spewed by the security vendors and do a proper risk analysis. I think if you start looking at your information and classifying it you will be drawn to the conclusion that the hard crunchy shell with the soft interior is no longer applicable. The concept of perimiter security was great for its time, but it comes from a day when very little information was available online and the perimiter protected a few machines. But this is a different world, most companies are 100% connected, and all of their crown jewels live on or is accessible from their corporate LANs. The volume of information available via a breach is astronomical compared to when the perimiter security was conceived, and the sensitivity of the data stored on your corporate network is scary. It does not make sense to cast all data with the same brush any longer. Most information generated by the average corporation is mundane...however some of it is critical and the loss of that data can be fatal or at least severely harmful. Doesn't it make a lot of sense to start focusing security on the data and making sure the critical assets are better protected than your mundane information?

"even more paperwork will be devised by the clueless trying to help"
It sure seems the longer I am in security the more this is true. Nowadays it seems we spend more effort checking to see if we are compliant with whatever legislation or standard is sexy this week and less actually getting compliant, or better yet, getting secure! Standards are a wonderful thing to measure against, but the fact is they are a minimum set of controls which are great as a starting point. The fact is they don't represent reality, and they certainly don't represent your environment. We would all be better off if we spent less time doing compliance, and put more effort into doing what makes sense for us!

Thursday, January 03, 2008

GIAC, 20,000 strong

Near the end of December GIAC passed the 20,000 mark in certified individuals. This is a huge milestone for what is arguably the best security training organization anywhere (I am biased). Congratulations! Hopefully, 100,000 is not far off!

Friday, August 03, 2007

Jim Leroy died doing what he loved!


I have received a few emails and comments related to a blog entry from a couple of years ago about the death of Jimmy Franklin and Bobby Younkin. For those of you who don't remember Mr. Franklin and Mr. Younkin died during a collision while performing a dogfight routine at the Moose Jaw Airshow in 2005.

The other pilot involved in that performance and sole survivor of that fateful performance was an equally amazing pilot name Jim Leroy. Mr. Leroy died himself at an airshow in Dayton Ohio this Saturday past.

There is not much to be said about the loss of another amazing pilot that has not already been said. He was one of a kind and will be sadly missed.

I did however want to point to the amazing job the Dayton Daily News has done of coverage of this event. There is everything there from introspectives, to pictures, to video of the crash itself. A very fitting tribute.

The content is all linked from one page here.

Jim Leroy 1961-2007, may he rest in peace.

Wednesday, April 11, 2007

Reminder: Inaugural event Friday

Just a reminder...the inaugural regina.whitehats.ca chapter get together is this Friday, April 13th at 7:00 PM at O'Hanlon's pub. I am hoping for a good turnout.

As an aside, I noticed that this event got some press in the Canadian Information Security Newsletter put out by Robert Beggs at Digital Defence. Thanks Robert!

See you all Friday!

Wednesday, February 28, 2007

Forming a security group in Regina, SK, Canada

As most of you know, I moved out to Regina from Ottawa a few years ago. One of the the things I miss about Regina is the lack of an active security community. Well hopefully I have a way of solving that.

I am announcing here a Regina chapter of whitehats.ca. For now we are starting simply with a blog. At some point in the future hopefully it will have its own mailing list and website. But for now let's start with baby steps.

Hopefully the first meeting will be in April, in a local pub, with some good brews and good conversation.


Rick

Sunday, February 18, 2007

So you wanna get into IT Security!

Still catching up on my blog reading. I came across an interesting article by Richart Betjlich over at the TaoSecurity Blog. The post is about suggestions to people with no experience who want to get into the security industry. I whole heartedly agree with Richards suggestions. Here they are summarized for your enjoyment...

  1. Represent yourself authentically.
  2. Stop using Microsoft Windows as your primary desktop.
  3. Attend meetings of local security group.
  4. Read books and subscribe to free magazines.
  5. Create a home lab.
  6. Familiarize yourself with open source security tools.
  7. Practice security wherever you are, and leverage that experience.
As one of the roughly 68,000 people laid off during the continuing implosion of Nortel I have lived through the laid-off experience, and have counselled a few people in this area. A couple of other items I would like to add.

Publish

In the Internet age self-publishing is easy. Put up your own web server at home and register a URL or domain with dyndns.org, or if that is too much work pages like infosecwriters.com will publish quality papers no questions asked.

I know... You all hate writing...so why would you do this?

Firstly, it gets your name out there. The ability to be Googled is not yet essential in this industry, but it sure doesn't hurt.
Secondly, it proves that you can write something coherent and readable and gives potential employers a source besides resume and interviews to measure your ability.
Third, it shows that you are serious! Everyone knows that most people intensely dislike writing. It will show that you have the ability to complete difficult tasks. The fact that you put the effort in will weigh in your favor.

Believe it or not this is not rocket science. I am not suggesting a 50 page treatise on detecting the PDF exploit using Snort. I am talking 5-10 pages on stuff you know. Write as you read... and learn. Consolidate learning from different sources into new views on a subject. Remember there are lots of people at the same level of knowledge as you and lots even lower who will be happy to read what you write to expand their knowledge.

Volunteer

Security organizations and conferences are always looking for people to help out. Volunteer for anything local to you. This is a great chance to meet people in the local security industry, and possibly even get the chance to learn some things.

Another place you can volunteer is community and open source projects. If you have coding skills volunteer for any of the open source security initiatives over at sourceforge or similar places. If you can't code, there are always community projects that are looking for a minimal amount of expertise and lots of enthusiasm to organize documentation, coordinate work etc. Or in a similar vein there are a number of consensus projects like the SANS Top 20 that are looking for opinions.

You are limited only by your imagination and your enthusiasm.

Rick

Friday, February 09, 2007

Witty comments

I've been working hard on studying for a certification the last bit, so I haven't been getting here much. Sorry.

Today I was catching up on some long neglected blog reading and got a chuckle compliments of the lovely people at F-Secure. They ran a contest for witty sayings for laptop stickers. The results are in and some are worth a chuckle...

I lost my password, can you tell me yours? — Azham R. of Malaysia
This is not the wireless access point you're looking for. — Matt L. of Australia
I just click OK to make the box go away. — Justin R. of UK
My botnet can beat up your botnet. — David B. of USA
Password is on a Post-it note on the display. — Ken T. of Germany

Have a good one!
Rick

Thursday, November 23, 2006

More Security Absurdity

Noam Eppel has posted his rebuttal to the commentary from his now legendary (if not infamous) Security Absurdity article. Noam is not apologetic, nor should he be. He states a lot of things that I whole heartedly agree with. Here are a few nuggets from the article...

"Security Professionals are in the best position to create change and that is why we are responsible for this situation."

"I think the security community needs to redefine their definition of success. And I think they need to understand the unique position they are in to improve security and to accept that responsibility."

"In order for Best Practices to be relevant, they need to be attainable, practical, implementable and manageable. Today's security Best Practices are counterintuitive, difficult to implement, quickly outdated by new threats, and are constantly changing....Security is a process to be evaluated on a constant basis. There is nothing that will put you into a "state of security" - no best practice, no security guideline, no security checklist."

"
My idea of security is that a user should be free to conduct, "normal and common" activities and not have to expect that he/she will be a victim of crime. If a man parks his expensive car in a bad neighborhood in the middle of the night and leaves it unlocked with the windows rolled down and with a $100 bill on the dashboard of the car, then that is irresponsible behavior and it is likely a crime will happen. However, if the man carries out what is considered normal activities - i.e., parks in the daytime on a busy street and locks it with a good security system - then that is normal and common behavior and a crime should not be expected."

The solution won't be easy, but it begins with participation and collaboration between all of the groups involved in security and ends with an Internet that looks much different than today. Each player has a part to play...Software vendors, security vendors, lawmakers, executives and most of all the security practitioners. Ultimately the key to any solution involves the active participation of the security community.

Rick

Wednesday, November 01, 2006

Extreme password security or Microsoft screw-up? You be the judge!

Another laugh compliments of the boys (and girls) at Microsoft (via Gene Spafford). An error message from Windows when attempting to change your password...

"Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes."

Definitely extreme, but secure... (-8

Rick

Thursday, October 26, 2006

Looking for a Job in Security?

Through the years I have mentored people looking to break in to the security industry (mostly other former Nortel employees). One of the things I have always told them is to get your name out there. Whether through joining local associations, writing papers, or volunteering...or all of the above...if you lack relevant experience it is best to show competency and interest.

On that note, compliments of The Security Monkey, a somewhat tongue-in-cheek guide for those looking to break into the security industry.

Rick

Monday, October 23, 2006

Top 10 Security Myths decomposed.

In reference to Pete Lindstrom's Top 10 Security Myths, I am not sure I agree, but here they are:

  1. Security through obscurity is a bad idea.
  2. Strong passwords are strong.
  3. Altruistic bugfinding is beneficial.
  4. You can't quantify risk.
  5. You can't get ROI from security.
  6. Security is about process, not product.
  7. SSNs are secret.
  8. Program x is more secure than program y.
  9. Stand up to your boss and "just say no."
  10. Security is failing.
What do you think?

Rick

Friday, October 20, 2006

PHPSecInfo - What a great idea!

One of my biggest frustrations as a pentester is convincing web developers that their environment is set up incorrectly. PHPSecInfo is a tool you load directly on the server that validates the security of the environment and suggests improvements.

From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."

Good on ya!
Rick

Thursday, October 19, 2006

NIST Guide to Integrating Forensic Techniques into Incident Response

Somehow I missed this when it came out in August, but complements of the smart guys at NIST is a document on "NIST Guide to Integrating Forensic Techniques into Incident Response". Had a quick look and it looks useful.

Rick

Finally a map I can read! (-8

Compliments of Joel Cort via cccure.org is a document mapping the old ISO 17799:2000 standard to the new ISO 17799/27001:2005 standard. It looks like good work. Available in PDF and Word format here.

Rick

Sunday, October 15, 2006

Hilariously Funny?

Complements of Bruce Schneier...Although the book "A Million Random Digits with 100,000 Normal Deviates" is not my type of bedtime reading...the reader comments to the book are worth every second. What a way to liven up a really dull topic!

http://www.amazon.com/Million-Random-Digits-Normal...

I understand that in 1955 when this book was originally published that generating random numbers was near impossible, but what prompted the publisher to republish it in 2002, when generating random numbers is pretty easy, is beyond me. Somebody smarter than me must know the answer. Please bring me into the loop.

Rick

Thursday, October 12, 2006

Payment Card Industry Standards Changes

The PCI (Payment Card Industry) has just recently announced changes to the standards for companies utilizing credit card changes via ecommerce.

The changes are here.

The full standard is here.

Rick

Reminder: End of XP SP1 support

Just a reminder that the set of patches released by Microsoft on Tuesday October 10th were the last of the patches for XP SP1. From now on if you haven't upgraded to SP2 you are SOL when it comes to support from Microsoft.

I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.

Rick

NIST Guide to Log Management is final

The long awaited NIST guide to Computer Security Log Management (SP800-92) is out in it's released version. This document has a few flaws, but this is an excellent document and should be required reading for every security professional.

Rick

Friday, October 06, 2006

More Security Stupidity

A geologist on his way to a convention of geologists has a rock sample declared a "dual-use item" in other words a potential low-tech weapon. The scary part is I sort of understand this one...but that doesn't make it right!

Rick