So the three big credit bureaus are adopting a single data encryption standard to "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies" ( link ). Great. Except that data encryption...

The CSIA is sort of the British version of NIST, with respect to IT. They've invented their own accreditation for security tools ( link ), basically looking to validate the vendor's claims (thus the name, "Claim Tested Mark"). This is a very different...

If you have a high-performance machine with a good video card, check out http://www.microsoft.com/max/ . It's the Codename Avalon user interface used for photo browsing. Not only is it really pretty, but it also shows some great ideas around how a UI...

An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords...

Tony Bailey, the Senior Product Manager on the Microsoft Solutions for Secrity & Compliance team, has put together a list of all of our security solutions. You can find it here: http://www.microsoft.com/technet/community/columns/sectip/default.mspx

NIST has opened up a National Vulnerabillity Database, also available as an XML feed. I love the fact that all of the available info will be in one place, although I do fear that it will re-open the "what's more secure" arguments that have been running...

If researchers are pointing out the issues, the bad guys will not be far behind. Start checking to make sure that your AV software is up to date! Link.

Link . Microsoft Q&A . They provide email customers with security and compliance services (retention, etc.). As IT environments get more complex there are more opportunities for providing this type of service for part of the infrastructure. THis...

Despite the slings and arrows that we endured originally when we came up with Patch Tuesday, it looks like this is gaining momentum. This article from eWeek talks about other companies starting to release patches on Tuesday as well. Of course there is...

This is classic -- you get infected with spyware that masquerades as antispyware. It pops up an alert that you're infected, and directs you to a web site to buy a licensed version of a disinfection program. InformationWeek called it "ransom-ware" and...

I was going to post on this but Tony Bailey beat me to it ( link ). We have several sessions at TechEd, and 6 program managers and subject matter experts from my team will be in the Security Cabanas. I can't make it down this year but I have reviewed...

You know that a concept has truly entered the mainstream when it spawns politically correct euphemisms. Potentially unwanted software is the latest safe and approved term for what most people think of as spyware and adware. So the House has just approved...

This article ( Protect passwords? Not if latte is free ) was passed on to me from a colleague who also saw the irony in this. I would say that we're 3 years too late in making 2-factor auth a base part of computing. This makes identity theft almost too...

Has anyone else read this article on "safecount.org" wanting to encourage people to not delete cookies? While I understand that the advertisers have a difficult task, it makes me crazy that sites such as TechWeb just take press releases and post them...

Awareness is our biggest challenge, but we've been doing a lot to make this happen. At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune. I like this...

The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments. The regs are pretty good -- a 12-point checklist of areas that need to...

More progress being made on the anti-spyware front: http://www.eweek.com/article2/0,1759,1788844,00.asp . Industry players are banding together to try and define this. I'm not sure that this is a good idea -- while I agree that the term "spyware" has...

This is one of those times that I love this company -- building a tracking system to fight kiddie porn, and giving it away to police departments worldwide. Link.

TechWeb just posted an article on DNS cache poisoning continuing. The Microsoft KB article can be found here . The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master. If it is forwarding all requests...

Interesting article: Google Yourself to Identify Security Holes by Tony Bradley. His point is that security people should be using Google and the discussed tools as one facet of a vulnerability analysis program.

Sorry, I just can't get behind this: Battle brews over unlocking PC secrets . The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights. I read the article and I still don't see Stallman's...

I am switching from MSN Spaces to TechNet over the next couple of weeks. Until I get my old stuff migrated over, if you're interested you can see my old posts here .

An old article, but still a good one, by Jakob Nielson (formerly at Sun, now at his own company). I strongly agree with his points, particularly: "passwords that comply with the above list of "security-enhancing" principles lead to one outcome: Users...

Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active. eWeek has had a couple of articles this week on this topic. In The Chaotic World of Defining Spyware they discuss...

My group didn't write this... that is, I don't think we did, although this may have come out of our Consumer team. But it is pretty good, basic advice for students that are heading off to school with their new laptops. School is in: 7 computer security...