Not really security relevant, but cool anyway... some more info on project Natal:http://news.cnet.com/8301-13772_3-20001174-52.html?part=rss&subj=news&tag=2547-1_3-0-20
What is project Natal? ;-)http://www.xbox.com/en-US/live/projectnatal/
-Urs
DarkReading: If your security strategy relies on end users to perform updates or avoid risky behavior, then it's time to ask yourself a question: How much do end users really know about security vulnerabilities?
"Non-IT folks are often only aware of security vulnerabilities that are covered in mainstream publications and media or hit close to home by impacting a family member," says Mike Greide, senior security researcher at Zscaler.
http://www.darkreading.com/vulnerability_management/security/client/showArticle.jhtml?articleID=224000172
MSNBC:Seattle is the riskiest online city, according to a new survey.
Symantec says Seattle tops the list because people are more likely to access the Web each day and use the Internet for shopping and banking, and because of the proliferation of wireless Internet access.
http://www.msnbc.msn.com/id/35985828
Ups.. as I am currently in Seattle and knowing that, should I be more careful now? ;-)
Network World: Who's got the biggest cloud in the tech universe? Google? Pretty big, but no. Amazon? Lots and lots of servers, but not even close. Microsoft? They're just getting started.
Household names all, but their capacity pales to that of the biggest cloud on the planet, the network of computers controlled by the Conficker computer worm. Conficker controls 6.4 million computer systems in 230 countries, more than 18 million CPUs and 28 terabits per second of bandwidth, said Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar.
http://www.networkworld.com/community/node/58829
Here is a good paper on Cloud computing - information security briefing (PDF):http://www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf
Centre for the Protection of National Infrastructure: This publication offers security advice and good practice for any organisation looking to protect against the risk of a terrorist act or limit the damage such an incident could cause. It sets out how a security plan might be developed and updated, the key measures that can help protect staff, property and information and how businesses can prepare for the worst.
http://www.cpni.gov.uk/Docs/protecting-against-terrorism-3rd-edition.pdf
New Microsoft cloud-computing service offers federal agencies a high level of security, including biometric access control and fingerprinting for background checks.http://news.cnet.com/8301-27080_3-10459301-245.html?part=rss&subj=news&tag=2547-1_3-0-20
Scott Hogg, Core Networking and Security: "I find it useful to seek out new perspectives on the ever-changing security realm. By reviewing these [security] reports, we can gain a greater understanding of the emerging Internet threats our organizations are facing."
Includes links to various security reports:http://www.networkworld.com/community/node/58241
Victor Beitner, a security expert who reconfigures photocopy machines destined for resale in Toronto, says businesses are completely unaware of the potential information security breach when the office photocopier is replaced.
They think the copier is just headed for a junkyard but, in most cases, when the machine goes, so does sensitive data that have been stored on the copier's hard drive for years.
Elevation of Privilege is the easy way to get started threat modeling. Threat modeling is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).
The Elevation of Privilege (EoP) card game helps clarify the details of threat modeling and examines possible threats to software and computer systems.
http://www.microsoft.com/Security/sdl/eop.aspx
Very interesting article from the MSRC: Recently, following an investigation to which various members of the MMPC contributed, Microsoft’s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49, an ongoing operation to disrupt the botnet for the long term.
To effectively counter a botnet like Waledac, we knew a multi-layered approach was needed — one that included peer-to-peer communication disruption through technical countermeasures, domain-level takedowns to disrupt the phone home communications between zombie PCs and the command and control servers for Waledac, and traditional server takedowns to sever the back-end command and control mechanisms most directly under the control of the bot master(s).
http://blogs.technet.com/mmpc/archive/2010/03/15/what-we-know-and-learned-from-the-waledac-takedown.aspx
[NIST] With the dwindling number of IPv4 addresses, the Office of Management and Budget (OMB) mandated that U.S. federal agencies begin using the IPv6 protocol. This document provides guidelines for organizations to securely deploy IPv6.
http://csrc.nist.gov/publications/drafts/800-119/draft-sp800-119_feb2010.pdf
Urs
Information security awareness and training is critical to any organization’s information security strategy and operations. People are in many cases the last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. Microsoft offers the security awareness toolkit to help organizations plan, develop, and deliver a successful security awareness program.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4a4cf17c-c694-49d9-97bb-724e0ae55db1&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+MicrosoftDownloadCenter+%28Microsoft+Download+Center%29#tm
[Computerworld] Microsoft announced at the RSA Conference on Tuesday that it has begun shipping Forefront Identity Manager 2010, server software for provisioning and de-provisioning user access and privileges for network and database resources.http://www.computerworld.com/s/article/9165179/Microsoft_cranks_out_new_identity_management_software?taxonomyId=17
and from the Forefront team blog:http://blogs.technet.com/forefront/archive/2010/03/02/rsa-conference-2010-identity-at-the-forefront.aspx
One of the trickiest problems in cyber security is trying to figure who’s really behind an attack. Darpa, the Pentagon agency that created the Internet, is trying to fix that, with a new effort to develop the “cyber equivalent of fingerprints or DNA” that can identify even the best-cloaked hackers.
http://www.wired.com/dangerroom/2010/01/pentagon-searches-for-digital-dna-to-identify-hackers/
TechWorld: Netbook users worried about storing sensitive data on their portables are being offered the world's first whole-disk encryption that will run useably on Intel's Atom processor.
http://news.techworld.com/security/3212192/intel-atom-netbooks-get-whole-disk-encryption/
For years computer security experts have been preaching that users should never share the same password across their connected lives — at online banking sites, at Amazon, on their Web mail services, even on their cell phones. Apparently, most people ignore that advice.
It really can't be repeated enough... :-(
http://redtape.msnbc.com/2010/02/for-years-computer-security-experts-have-been-preaching-that-users-should-never-share-the-same-password-across-their-connecte.html
Microsoft released a template for applying its Security Development Lifecycle (SDL) methodology to agile software development projects built with the Visual Studio development environment.
http://www.infoworld.com/d/developer-world/microsoft-links-security-guidelines-agile-development-738http://www.microsoft.com/downloads/details.aspx?FamilyID=c4b44860-cfba-494a-ba43-13c4aecf86af&displaylang=en
Public Wi-Fi networks such as those in coffee shops and airports present a bigger security threat than ever to computer users because attackers can intercede over wireless to poison users' browser caches in order to present fake Web pages or even steal data at a later time. That’s according to security researcher Mike Kershaw, developer of the Kismet wireless network detector and intrusion-detection system, who spoke at the Black Hat conference.
http://www.computerworld.com/s/article/9151979/How_Wi_Fi_attackers_are_poisoning_Web_browsers?taxonomyId=85
Activists have long grumbled about the privacy implications of the legal backdoors that networking companies like Cisco build into their equipment — functions that let law enforcement quietly track the Internet activities of criminal suspects. Now an IBM researcher has revealed a more serious problem with those backdoors: They don't have particularly strong locks, and consumers are at risk.
http://www.forbes.com/2010/02/03/hackers-networking-equipment-technology-security-cisco.html
It’s been three weeks since Google announced that a sophisticated and coordinated hack attack dubbed Operation Aurora recently targeted it and numerous other U.S. companies. Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers that struck Google and others.
http://www.wired.com/threatlevel/2010/02/apt-hacks/
"We are providing a technical solution that will eliminate the need for a lot of cyber professionals because we just don't have enough of them," Zalmai Azmi says. Can technology replace the IT security professional to safeguard government information systems?
http://www.govinfosecurity.com/articles.php?art_id=2170
Believe it or not, but the recently introduced, free security solution from Microsoft manages to hold its own against fully-fledged, paid security suites from heavyweight players on the security market, at least when it comes down to generic detection and heuristic techniques.
In fact, Microsoft Security Essentials 1.0, formerly codenamed Morro, fared better than the products from security companies that were fast to downplay the relevance of a free basic solution from the Redmond company.
http://news.softpedia.com/news/Microsoft-Security-Essentials-vs-Kaspersky-Nod32-BitDefender-Symantec-McAfee-128482.shtml
Microsoft Security Essentials can be downloaded here:http://microsoft-security-essentials.en.softonic.com/(Note: This is not a Microsoft Download Site)
If you go solely by top-level stats on encryption use, you'll come away feeling pretty secure — 86 percent of the 499 business technology professionals responding to our InformationWeek Analytics State of Encryption Survey employ encryption of some type. But that finding doesn't begin to tell the real story. Only 14 percent of respondents say encryption is pervasive in their organizations. Database table-level encryption is in use by just 26 percent, while just 38 percent encrypt data on mobile devices. And 31 percent — more than any other response — characterize the extent of their use as just enough to meet regulatory requirements.
http://www.informationweek.com/news/security/encryption/showArticle.jhtml?articleID=221900355
Using your laptop to get work done away from your office or on the road is becoming widely accepted. But this rapid growth in laptop computing has made portable systems the target for theft around the world. If your laptop computer is stolen, company information can be exposed, as well as your personal and financial information.
http://www.microsoft.com/atwork/security/laptopsecurity.aspx
This guide was designed to help IT professionals better understand and use Microsoft security release information, processes, communications, and tools. Our goal is to help IT professionals manage organizational risk and develop a repeatable, effective deployment mechanism for security updates.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3d986d0-ecc3-4ce0-9c25-048ec5b52a4f