Jeff's InfoSec Blog

Credit Bureaus adopt data protection standard... so what?

2005-09-28T02:18:00Z

So the three big credit bureaus are adopting a single data encryption standard to "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies" (link). Great.

Except that data encryption isn't the problem. All of the widely publicized recent attacks have been either from insiders, or from organizations that were customers. Such attackers already have access to the data.

The answer isn't going to be that easy. It is going to require some type of rights management that ties the data to the consumer, the usage and the time that it is valid.

The real message here is that this isn't for consumer protection at all. It is to make life easier for the purchasers of credit reporting data, who today have to deal with different schemes from each of the big three. Maybe there is some benefit here for the consumer, but it isn't immediately obvious.

British Gov't validating security tools - "CSIA CT Mark"

2005-09-14T20:30:00Z

The CSIA is sort of the British version of NIST, with respect to IT. They've invented their own accreditation for security tools (link), basically looking to validate the vendor's claims (thus the name, "Claim Tested Mark"). This is a very different approach to that used in the Common Criteria process, which seeks to apply a single set of standards to many different products.

I think I like the British approach more -- it provides customers with some amount of trust that the products will perform as described, without making the verification process so onerous that only the products with the largest volumes (e.g. Windows Server) would ever be put through the process.

Cool stuff - Microsoft MAX

2005-09-14T20:19:00Z

If you have a high-performance machine with a good video card, check out http://www.microsoft.com/max/. It's the Codename Avalon user interface used for photo browsing. Not only is it really pretty, but it also shows some great ideas around how a UI can provide context for users.

Trapping passwords by listening to typing

2005-09-14T04:28:00Z

An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords. There are many caveats here, including the requirement that the typist is typing in one language (they used English) and that the recognition rate is far from 100%. But nevertheless it provikes thought.

So what does this tell us? First off, relying solely on passwords is a bad idea -- even if this attack wasn't possible, there are just so many others. Two-factor authentication is not foolproof but it does greatly reduce the risk.

Second, this reiterates the old saw about physical access. If I can get close to your PC then I have a reasonable chance of obtaining your user ID and password.

Type quietly, everyone!

Here's a list of Security Solutions

2005-08-17T01:36:00Z

Tony Bailey, the Senior Product Manager on the Microsoft Solutions for Secrity & Compliance team, has put together a list of all of our security solutions. You can find it here: http://www.microsoft.com/technet/community/columns/sectip/default.mspx

A National Database of Vulnerabilities

2005-08-16T19:21:00Z

NIST has opened up a National Vulnerabillity Database, also available as an XML feed. I love the fact that all of the available info will be in one place, although I do fear that it will re-open the "what's more secure" arguments that have been running for several years.

Link: http://nvd.nist.gov

Story: http://www.fcw.com/article89911-08-15-05-Print

First go for people with no armor; then look for chinks in the armor

2005-07-27T23:15:00Z

If researchers are pointing out the issues, the bad guys will not be far behind. Start checking to make sure that your AV software is up to date!

Link.

Microsoft buys email managed-services company

2005-07-21T23:38:00Z

Link. Microsoft Q&A.

They provide email customers with security and compliance services (retention, etc.). As IT environments get more complex there are more opportunities for providing this type of service for part of the infrastructure. THis is somewhat in contrast to the old approach of outsourcing everything.

Patch Tuesday becomes popular

2005-07-21T21:03:00Z

Despite the slings and arrows that we endured originally when we came up with Patch Tuesday, it looks like this is gaining momentum. This article from eWeek talks about other companies starting to release patches on Tuesday as well. Of course there is always a dissenting opinion.

Now if only we could come up with a single auto-update mechanism that supported multiple vendors -- but that is a hairy legal as well as practical issue.

Oh great -- now spyware is disguised as antispyware!

2005-06-02T00:30:00Z

This is classic -- you get infected with spyware that masquerades as antispyware. It pops up an alert that you're infected, and directs you to a web site to buy a licensed version of a disinfection program. InformationWeek called it "ransom-ware" and I tend to agree.