The Blog Thing

From January 2006 on, Microsoft has created a bi-annual Security Intelligence Report.

The report provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows users, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications. The fifth volume (and previous volumes) of the report is now available:

SIR Volume 5 (January through June 2008) and Key Findings Summary

Though of course focused on Microsoft security products, it does provide an insight that is broader and gives a good basis as an input for discussion on malware protection.

Just a quick note for those of you still looking for a good starting point on securing Windows XP systems.

Special Publication (SP) 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, has been published as final. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005.

URL:
http://csrc.nist.gov/itsec/download_WinXP.html

Bye,

Vincent

I’d been looking for this for a while and finally found the time to really search for it

“Sun Tzu on the Art Of War” is a classical Chinese text on military strategy.
That said, it’s use has not been limited to military subjects only. The first time I came in to contact with this work was in my studies on Traditional Chinese Medicine (TCM). One of my teachers compared the invasion of the human body by diseases and the treatment of patients to military strategy using excerpts from this text.
Besides that, some “new” (after 490 BC) texts on TCM even mention Sun Tzu’s texts.

For more info on Sun Tzu, see: http://en.wikipedia.org/wiki/Sun_Tzu

In my life as an information security consultant, I sometimes use excerpts from Sun Tzu’s work in my classes and advisory reports, because they very much apply to today’s fight agianst threats.

You can download the text right here. I couldn’t find any legal reason not to post it; the creating company of this PDF does not seem to exist anymore. Please let me know if I’m wrong before suing me?

Here it is: Sun Tzu on The Art of War

Did you know this? Well, I didn’t up until a little while ago.

Here’s the deal. First: this goes for the built-in administrator account in Windows OS’es, knows as BUILTIN\Administrator (RID 500). You’ll find it exists in all relatively modern Windows based systems and Active Directory.

OK, you’ve really thought about this and decided on a long and complex password for the administrator account. Sometimes a blank password might be better, though.
This is because in Windows XP and Windows Server 2003, a blank password (by default) can only be used for local access. An account having a blank password cannot be used as a network credential…
So, when you can guarantee physical security of the system, a blank password might actually be better than a weak one

All in all, I’d rather have the built-in administrator account disabled. You should never need it, and when you need to use safe mode or the recovery console, it will automatically be enabled.
Good practise says that everyone who needs administrator access has his/her personal administrator account and a normal working account besides that, so…

Dallas Semiconductors (www.dalsemi.com) has developed a very small integrated circuit (the DS2703) for use in rechargable battery packs that communicates with a cell phone (or digital camera, notebooks, PDAs, etc.) and verifies the authenticity of the battery pack. It uses SHA-1 and a 64-bit secret key in the proces of verification.
This way the use of third party battery packs will be a thing of the past. Price and size has prevented large scale use of this technique up until now, but at US$ 0,77 per chip I guess the main cell phone manufacturers will jump to the occasion and incorporate this (or similar) chip in their battery packs to prevent users from using unsafe packs in stead.

My guess is that we will see much more of this kind of device- or add-on authentication in the near future, especially in situations where revenue depends on sales of authentic add-ons (like the mentioned battery packs, but how about ink and toner cartridges and the like) and situations where the safety or regulatory approval of a system could be comprimised by using non-authentic add ons.

Who would have guessed? Battery packs doing complicated math…

Dallas has a nice white paper about this application of SHA-1 on their Maxim site: www.maxim-ic.com/appnotes.cfm/appnote_number/1201

No posts for a while now; have been busy. But I just had to react to this one.
Several news sites have run stories about Google Earth being a safety hazard, because now anyone can get their hands on detailed images of otherwise classified installations around the world.

I won’t go into the debate if thats true or not. But HELLO??
The image data on Google Earth is hardly up-to-date and does nobody know that there have been commercial satellite imaging companies around for a few years now? For the right amount you can get up-to-the-minute satellite images of any location you wish. Try googling “commercial satellite images”…
So why has noone run stories about that before? Nobody knew? Come on, the same story-runners of today have been using these services for their own purposes for some time now, so that can’t be it. No, I guess some people have finally woken up and others think it makes nice headlines that sell their papers.

The point I am trying to make is that the availablity of satellite images isn’t new. The hype is. And hypes are dangerous in my opinion because they distract the attention from the real problems of this world. No terrorist needs a satellite picture of a big mall to bomb it…

This security checkpoint has a point

What-The-Hack security checkpoint

Het Amerikaanse NIST heeft een database online gebracht waarin meer dan 12000 beveiligingsproblemen zijn opgenomen van diverse populaire IT-producten. De database wordt dagelijks bijgewerkt met de laatste informatie vanuit meerdere bronnen.
De National Vulnerability Database, zoals de database is genoemd is vrij toegankelijk en biedt naast details over de produkten en hun problemen tevens statistische informatie. De database is te vinden op: http://nvd.nist.gov.

The London police have adopted a “shoot to kill” policy on suspected suicide bombers. Why? Well, they say that shooting someone in the body will still give him/her the possibility to detonate a bomb. So you shoot them in the head.
That really sounds stupid to me. The next suicide bomber will simply use a dead-man trigger, as they have done for many years, for instance when using hand granades. Or they will use a cheap € 35 hartrate monitor to do the job. The bomb will now detonate when the person is shot…

My point is that you can’t get it right with these simple policies. The terrorists will simply adopt a different strategy to deal with them. In the end these policies threaten our safety instead of improving it.
In my opinion the best thing would be well trained security personell that can make the decision themselves based on the situation at hand. But that’s expensive and takes time. In the mean while we’ll have to make a deciscion ourselves when confronted by some plain-clothes persons drawing guns and shouting at us. Are they robbing us, or are they trying to protect us?

In Februari Chinese researchers published a short statement on the fact that they had a way of finding collisions in the SHA-1 algorithm.
SHA-1 is a hashing algorithm, in short it takes some data and computes a large number that is absolutely unique for that data. When someone changes any part of the data, the outcome of the hasing function changes. This is used for instance to guarantee integrity of a message.
The Chinese researchers have found a way to find collisions; in the end that means that in theory someone could craft two messages with the same result from the hash function. I say “in theory”, because at this point in time it takes quite some computing power to do so, but time has proven that that will change.

Up until now the paper wasn’t available; it is now. For the mathematicians among you, you can find it here: http://cryptome.org/wang_sha1_v2.zip