Fresh out of press (ok, it is out since beginning of April but I just saw it now): Brian Komar, the well-known author of several PKI books on Windows Server just released a new book called Windows Server 2008 PKI and Certificate Security. If you are planning a Windows Server 2008 PKI, this is a must-read (at least knowing Brian's books J).

Here is the abstract:

Get in-depth guidance for designing and implementing certificate-based security solutions—straight from PKI expert Brian Komar. No need to buy or outsource costly PKI services when you can use the robust PKI and certificate-based security services already built into Windows Server 2008! This in-depth reference teaches you how to design and implement even the most demanding certificate-based security solutions for wireless networking, smart card authentication, VPNs, secure email, Web SSL, EFS, and code-signing applications using Windows Server PKI and certificate services. A principal PKI consultant to Microsoft, Brian shows you how to incorporate best practices, avoid common design and implementation mistakes, help minimize risk, and optimize security administration.

Roger

I am very proud for the product team to tell you that Windows Vista Bitlocker™ completes FIPS 140-2 certification. If you are interested, you find the according certificate here.

Roger

I guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft's Identity Metasystem CardSpace.

Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more in depth into it, I doubt that there will be. Why? Because the whole setup is ridiculous – at least in my opinion. To cut it short: If you ignore all the warnings of the OS and pull down all the protection shields we built into Windows Vista, then it is possible to attack Cardspace. This is true. Is it making me nervous? Not really.

There are mainly two things that you have to do to make the attack successful before you can steal the Cardspace token: Spoof DNS and "compromise" the Root Cetificate Store. Hmm, we all know that attacking a DNS could be possible (even though they do not include it into their presentation) you need the help of the user as well in order to get a certificate in the Trusted Root store or trick a Certificate Provider into issuing a cert to you for a website you do not own. They failed to show in their "proof of concept" how they bring a root cert into the store without having serious support from the user.

Is this a Cardspace vulnerability? I let you decide it.

Kim Cameron posted twice now on this claimed vulnerability:

• Students enlist readers' assistance in CardSpace "breach"
• How to set up your computer so people can attack it

You know that we take vulnerabilities in our software serious. But what these students have done publically now is – with all due respect for their work – irresponsible. It might be cool for them to blame Microsoft and show vulnerabilities in our software – but if you do it, please make sure that you at least make the bar of a vulnerability without needing the in-depth help of the user.

Roger

I am in Qatar at the moment at the Doha Information Security Conference. They actually have a very interesting setup as they only have very short presentations (about 5-10 minutes) of approx. 2 people and from there on they are working with a panel discussion on the topic during the rest of the hour. As there are about 100 pretty active people (which is a lot in Qatar), the format is very interactive and attractive.

Today, there was one session on the ISO standards. We had a very good discussion on them and then one of the participants raised a very good point: He stated that he was participating in a lot of events. A lot of people are talking about Risk Management, writing pragmatic Security Policies etc. but nobody actually tells him where to start and how to do it.

Is this really true (I did not do it in this short presentation)? We usually say that the policy and the project have to be adapted to the company. This is definitely true but is the approach so different? When I was working at PricewaterhouseCoopers, the approach we took was normally more or less the same (more more than less J). So, why do we not give better guidance to the people on how to do it?

Do you give guidance normally (talking at events, not doing consultancy J)?

Roger

In the world of Chinese Hackers there seems to be a group especially for female hackers. I just read this post: Chinese Female Hacker Group which show a pretty high growth rate of women joining:

The website for the China Girl Security Team was registered on 12 Mar 2007 and currently has 2,217 members. The leader of the group Xiao Tian, is only 19 years old

Roger