Who's Online
There are currently, 81 guest(s) and 37 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
NoticeBored Newsletter, October 2008, Ethics and Security
Posted by boss on Tuesday, 30 September 2008 @ 13:11:14 EDT (310 reads)
Topic Awareness Info
 |
 |
Information security awareness newsletter |
|
|
 |
|
| October 2008 - ethics and security |
|
Dear Clement,
Ethical people act in accordance with principles of conduct that are generally considered correct and appropriate. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures.
October's module is all new as we have not covered ethics directly before. I hope you find the newsletter interesting and thought-provoking.
Kind regards,
Gary Hinson
CEO, IsecT Ltd. |
|
|
|
|
 |
| Copyright © 2008 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web. Find out more about NoticeBored here. |
|
|
|
|
|
NoticeBored latest newsletter on governance
Posted by boss on Thursday, 31 July 2008 @ 11:17:09 EDT (510 reads)
Topic Awareness Info
cdupuis writes "
 |
|
Information security awareness newsletter |
|
|
|
 |
|
| August 2008 - information security governance |
|
Dear Clement,
The field of corporate governance exploded onto management’s agenda following Enron’s collapse in 2000/2001 and the introduction of SOX (Sarbanes Oxley Act) in 2002. There has been some public discussion of IT governance since then but information security governance is still emerging from the murk.
This month we expand on what ‘governance’ means and how it relates to information security in particular. It affects our target audiences (staff, managers and IT professionals) differently so we explain the implications in practical terms, covering the essential elements that everyone should comprehend.
You may have seen the recent news about the arrest of a network administrator in San Francisco. As reported, the accused was solely responsible for designing, operating and securing the city government’s network. He allegedly refused to disclose the network admin passwords at first, preventing others from managing the network in his absence. While it’s far too early to determine whether there is any truth behind the allegations, the story has fascinating governance implications that find their way into one of the case studies and the newsletter.
Kind regards,
Gary Hinson
CEO, IsecT Ltd. |
|
|
|
|
 |
| Copyright © 2008 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web. Find out more about NoticeBored here. |
|
|
|
|
|
"
enterprise security testing
Posted by boss on Wednesday, 14 May 2008 @ 11:53:54 EDT (617 reads)
Topic Awareness Info
Anonymous writes "Introduction
This article elaborates the description of enterprise security testing. Enterprises' data security is constantly under attack. In this seemingly chaotic environment, data security has become one of the primary challenges facing all organizations.
One of the greatest risks of information leakage is much harder to control any software, before being released into the market, has to be thoroughly checked for security risks. In today’s world of stiff competition and corporate espionage, there is always the risk of software being poisoned by a competitor (by compromising an employee) or others like government bodies, disgruntled employees, anti social elements, etc. The implication of such a compromise can be detrimental to the enterprise.
Facts :
In 2006, Fortune 1500 companies lost more than $45 billion from the theft of trade secrets, according to a survey by the American Society for Industrial Security and Price Waterhouse Coopers.” -
The San Francisco Chronicle reported about a case they called “The spies in the next cube”. It was about an employee who said they were leaving to return to their home country to get married without any job. The FBI found cd he was leaving will all the corporate secrets to the new job.
So the answer is … YES, it really happens.
What can you do to protect your company from being a victim of corporation information leakage?
What is the problem?
Now in today’s era the competition is much more in corporate. Everyone wants to know about his competitor so they try to choose different ways for gathering the information. Now attackers have changed their way of thinking
Any software product before it reaches the end user, has to go through many distribution channels
Manufacturer > reseller > end user
During this process:
- There is ‘no’ guarantee that the software is fully safe and is not tampered in this process.
- Any one can tamper the product and can get some vital information from your organization.
So when your organization using that types of product what is the risk fact.
· Financial risk
· Confidential information leakage
· Employee records (A successful company's most trustworthy and devoted employees)
· Clint information
Firewalls and Anti Virus based security systems cannot protect you from theft of your company's confidential information by this type of attack.
EFFECT ON YOUR ORGANIZATION:
· Market value.
· Client relationship.
· Lose a best employee.
· The weakness of the org. is now disclosed
· The success graph is now constant it’s not raising but also start decreasing.
Basically we’re talking about the creditability of an organization. If you don’t have a basic level of confidentiality of data, availability of resources, and Integrity for your IT services, why should anyone trust what you say?
Now the question is who is responsible for this?
You know very well
Ø Business rivals
Ø Hackers
Ø Attackers
Ø Intruders
Ø Vendors
Ø Anti social elements
Why?
1. To reach the highest level in the business.
2. for the financial benefit from your org.
3. Only for fun
4. Find your best employee
5. Getting your organization weakness.
What data are they collecting?
Ø Corporate intellectual property
Ø Patents in progress
Ø Customer information
Ø Pricing strategies
Ø Source code
Ø Unique manufacturing and technological operations
Ø Latest research and development
Ø Future plans and mark
So this is a … real-time threat in your network.
Worst Mistakes by the senior EXECUTIVES:
Ø Assigning Untrained People to Maintain Security
Ø Failing to Understand the Relationship of Information Security to the Business Problem
Ø Relying Primarily on a Firewall
Ø Failing to Realize How Much Money Their Information and Organizational Reputations are Worth.
Ø Authorizing Reactive, Short-Term Fixes so Problems Re-emerge Rapidly
Ø Pretending the Problem Will Go Away if They Ignore It
While it seems easy from a security perspective, Senior Executives are generally not security folks. Senior Executives are tasked with running a profitable business and in many cases are still wrestling with the changes that IT has made to the face of business. In almost every case above the onus is on the security professional to understand how the business operates, the costs associated with the security of business, and present this information to the senior executives. It never makes sense to spend more money protecting an asset than the asset itself is worth. Security is about risk mitigation so remember that sometimes an unacceptable security risk is an acceptable business risk.
Solution :
v Standardize Security Infrastructure
v Computer Security Policy and Procedures
v Awareness training for all staff
v Management support (i.e. allocate budget & Time)
v Technical solutions (i.e. Firewall, IDS)
How do we get there?
• Acknowledge importance of security
• Balance security with our mission
• Follow security policy and procedures
• All staff members in education process
• Be an example to other staff
User Product Security Testing :
This service enables an enterprise to asses its current susceptibility to security threats related to products that have been downloaded from the Internet by the enterprise’s employees. And when you buy any kind of product
“First test then trust”
Methodology :
Scope:
v The product is analyzed to gain an understanding of its functionality.
v Knowledge about the platform (both hardware and software) on which the product/software runs is gathered.
(“Neither you and your customers want to see your company name in the headline news as responsible for the latest identity theft scandal”)
Conclusion :
A quick glance at the items to consider for your data protection policy clearly indicate that the world has changed and as IT professionals charged with data security, we face new and unique challenges every day.
Author:
Himanshu Saraswat
"
NoticeBored Newsletter, May 2008 - Trust, integrity and fraud
Posted by boss on Friday, 02 May 2008 @ 11:00:06 EDT (594 reads)
Topic Awareness Info
cdupuis writes "
 |
|
Information security awareness newsletter |
|
|
 |
|
| May 2008 - Trust, integrity and fraud |
|
Dear Clement,
Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as at Société Générale Bank) and numerous other information security incidents provide no shortage of topical material for our 60th module.
Technological controls alone are seldom adequate to reduce the risks, placing emphasis on human controls through training and education, policies and procedures, and various forms of management supervision (including, by the way, the IT audits we covered last month).
This being the 60th monthly module means NoticeBored is five years old this month! We’re celebrating our fifth birthday with a special offer – please visit the NoticeBored website or contact me for details. If you phone, please don't be surprised to hear party music in the background!
Kind regards,
Gary Hinson
CEO, IsecT Ltd. |
|
|
|
|
 |
Copyright © 2008 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web.
Find out more about NoticeBored here. |
|
|
|
|
|
"
Biometrics Man In The Middle (MITM) attacks
Posted by boss on Wednesday, 02 April 2008 @ 11:19:17 EDT (699 reads)
Topic Awareness Info
cdupuis writes " http://www.techworld.com/security/news/index.cfm?newsID=11863 By Matthew Broersma
Techworld
02 April 2008 A British security researcher has demonstrated a "biologging" system for intercepting biometric authentication data, warning that attacks on biometric systems could become relatively straightforward if current practices don't change. Matthew Lewis, of London-based Information Risk Management, demonstrated a proof-of-concept biologger last week at Black Hat Amsterdam and released the tool's source code. Biologger is designed to highlight what Lewis considers a defect in the design of many current biometric systems: the biometric data isn't encrypted between the biometric scanner and the processing server. The tool identifies and captures such data, opening the way to exploits such as man-in-the-middle attacks, Lewis said. A number of difficulties remain in carrying out an attack, not the least of which would be inserting the biologger into the network, Lewis said. However, Lewis' point was to highlight that such dangers exist. "Organisations across a number of different sectors are beginning to implement biometric systems as part of their physical and logical access controls, while a number of these systems and devices are configured to integrate with existing infrastructures for ease of deployment, such as through the use of IP protocols," Lewis said in a recent white paper on biologging. "It is properties such as this that we seek to explore and exploit as part of a proof of concept construction of a biologger." The tool can be configured for sniffing biometric devices in a domain, as an inline wire tap or proxy device, for ARP poisoning, or as a memory-resident keylogger on a host, according to Lewis' presentation. While Lewis' current research focuses on fingerprint systems, he said the same techniques could be carried out against biometric modes such as face and iris recognition access control systems. Lewis said his aim was not to discourage the use of biometric access control systems, but to encourage their secure design. "Biometric device manufacturers and system integrators cannot rely on security through obscurity alone for the overall security of their devices and systems," he said in the white paper. He said that where IP networks are involved, particularly, those deploying biometric systems should identify network traffic routing and the accessibility of biometric-related data on those networks. Encryption of all biometric, user and control data between devices and management servers could mitigate most of the issues identified in the presentation, Lewis said. Robust authenticated sessions between devices and servers would also improve the systems, he said. "
NoticeBore Newsletter March 2008
Posted by boss on Friday, 07 March 2008 @ 09:26:19 EST (545 reads)
Topic Awareness Info
cdupuis writes " | 
|
| Information security awareness newsletter | |
| |
| |
| | 
|
| | March 2008 - Viruses and other PC infections | |
| | Dear Clement,
After covering 'Plan B' in February, we get back to 'Plan A' this month with a core awareness module on malware - computer viruses, network worms, Trojans, rootkits, spyware .... and all that.
Malware was the first security topic we covered when the NoticeBored service was launched five years ago. Way back in 2003 we said “As with many aspects of information security, there is a virtual arms race between the good guys (those working on defenses such as antivirus software) and the bad guys (virus authors etc.). As fast as one vulnerability is closed, another opens up. The media portray the bad guys as spotty teenagers but organized crime and industrial espionage are probably bigger threats and incidents are on the increase.” While we don’t hear so much about true computer viruses in the press these days, there have indeed been major worm outbreaks plus criminal and spying incidents involving Trojans and other forms of malware.
Read more about today's malware risks in the free newsletter and by all means get in touch if we can interest you in the supporting security awareness materials on this topic. There's much more to NoticeBored than the newsletter!
Kind regards,
Gary Hinson
CEO, IsecT Ltd. | |
| | |
| |
| | 
| | Copyright © 2008 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web. Find out more about NoticeBored here. | | | | | | "
NoticeBored Newsletter February 2008
Posted by boss on Tuesday, 29 January 2008 @ 14:07:57 EST (709 reads)
Topic Awareness Info
cdupuis writes " | 
|
| Information security awareness newsletter | |
| |
| |
| | 
|
| | February 2008 - Plan B | |
| | Dear Clement,
Most of the time, most of us are focused firmly on Plan A. Plan A is the day job - strategic plans and routine operations founded on achieving commercial success. Risks are an inherent part of Plan A but in the main we discount them, usually by implementing control measures to ensure, as far as possible, that we get what we want. Plan A is inherently optimistic in outlook.
Plan B starts from the opposite pessimistic perspective. What happens if Plan A does not work out, in fact? What will we do if something dreadful goes wrong? What if, say, a rogue trader places an unmitigated highly leveraged investment that turns sour? What if a big old spy satellite crashes to Earth and, by sheer coincidence, lands right on the data center?
February's NoticeBored awareness module covers contingency concepts including resilience and business continuity, crisis management, business resumption and disaster recovery. I do hope you enjoy the newsletter but please get back to me for more information on becoming a NoticeBored customer. Don't miss out on a wealth of creative security awareness materials!
Kind regards,
Gary Hinson
CEO, IsecT Ltd. | |
| | |
| |
| | 
| | Copyright © 2007 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web. Find out more about NoticeBored here | | | | | |
"
Security Awareness Video on Strong Password
Posted by boss on Wednesday, 28 November 2007 @ 21:49:06 EST (1096 reads)
Topic Awareness Info
cdupuis writes " Anyone on this site who is creating or presenting security awareness training is welcome to use our latest video, "Bud Logs In," free of charge. Bud is an "ordinary worker" who executes every well-known password mistake in the book -- until he masters a better way. We assume most non-technical users really do not wish to be in security training, so we tried to make the video amusing by shooting it in the style of a 1950s instructional video. You can preview it, and if you like, download it in Windows Media Player or Quicktime format, at: http://www.watchguard.com/bud-logs-in No registration required; no strings attached. If you use it, let me know how it goes over! Cheers, D. Scott Pinzon, CISSP, NSA-IAM | Editor-in-Chief, LiveSecurity Service WatchGuard Technologies, Inc. | www.watchguard.com/rss
206.613.6648 Direct
scott.pinzon@watchguard.com "
NoticeBored Security Awareness Newsletter on Social Engineering
Posted by boss on Tuesday, 27 November 2007 @ 22:26:12 EST (946 reads)
Topic Awareness Info
cdupuis writes " | 
|
| Information security awareness newsletter | |
| |
| |
| | 
|
| | December 2007: social engineering | |
| | Dear Clement,
Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls.
December’s NoticeBored security awareness module identifies numerous social engineering risks and controls, and is lightly sprinkled with real world examples of incidents reported in the general news media. Making employees alert to the possibility of social engineering is the first step towards resisting attack.
Kind regards,
Gary Hinson
CEO, IsecT Ltd.
PS Download our 2008 security awareness calendar from http://www.noticebored.com/NoticeBored_calendar_2008.pdf | |
| | |
| |
| | 
| | Copyright © 2007 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web. Find out more about NoticeBored her | | | | | |
"
New Version of the SecureAnchor newsletter
Posted by boss on Sunday, 18 November 2007 @ 19:37:49 EST (1393 reads)
Topic Awareness Info
cdupuis writes " | | | November 2007 | Vol 11, Issue 3 | | | 
| Security in the News
Your source for up to date security headlines | | | | | Greetings! | |  I am sure that everyone is getting ready for the upcoming Thanksgiving Holiday.
From all of the staff at Secure Anchor we wish you a safe and festive holiday
Eric | | NIST Launches Competition for New Hashing Algorithm | |
The National Institute of Standards and Technology (NIST) is starting a competition for a replacement hashing algorithm for earlier versions of the Secure Hash Algorithms (SHA) to be designated SHA-3.
Hashes are produced by taking a message as input. The hash algorithm then operates on the message, producing an output of a certain length (i.e. a certain number of bits), and are characterized by the fact that if someone else runs the same algorithm against the message, they should get the same hash value as the first person. If there is a difference, then the message has definitely been changed. In this way, hashes are used for message integrity checks - so that if the recipient of a message has a calculated hash value different than the hash value specified as what the message should produce, then the message has been tampered with.
When two different messages produce the same hash value, this is known as a collision. Collisions occur because the hash values are shorter than the messages that produce them. Thus, there is a many to one relationship between messages and hash values. The trick is that because of the probabilistic nature of hashing, the odds of this occurring randomly are very slim. And, in probabilistic terms, the message that would cause the collision with a message which was human readable, would most likely be nonsense, therefore not being a good candidate for the real message. The issue occurs with data other than data which would be human readable.
In recent years, the Chinese have made great advances in discovering weaknesses in the hashing algorithms and causing collisions almost at will.
The algorithm selected to be SHA-3 will be used as an addition to the hashing algorithms specified for use as standards. The Federal Information Processing Standard (FIPS) 180-2 Secure Hash Standard specifies the algorithms which are acceptable for use under the standard.
NIST stated, "FIPS 180-2 specifies five cryptographic hash algorithms, including the SHA-1 and SHA-2 family... Serious attacks have been reported in recent years against cryptographic hash algorithms, including SHA-1. Because SHA-1 and the SHA-2 family share a similar design, NIST has decided to standardize an additional hash algorithm to augment the ones currently in FIPS 180-2."
| | 
| | | | | Russian Business Network Temporarily Offline | | The Web site of one of the most famous cyber-criminal organizations has been taken off line - reported by Trend Micro as going down at 0200 GMT, on November 7. Trend Micro states, "Since then, IP addresses of RBN can no longer be reached because there is no routing for them any longer."
Speculation has it that the Russian Business Network (RBN) upstream providers have cut them off. These providers included Tiscali and Russia's C41.
RBN is infamous as the source of many exploits and for distribution of malware. Trend Micro warns that the reprieve may be temporary. Trend Micro security researcher Feike Hacquebord said, "RBN may find new upstream providers. In recent weeks, moreover, Trend Micro has seen equivalents of RBN pop up in Turkey and Taiwan." | | U.S. Says to Forget About Online Privacy | | Dr. Donald Kerr was confirmed unanimously by the Senate on October 4, 2007 as principal deputy director of National Intelligence, second in command to Director Mike McConnell. Dr. Kerr gave a speech to the 2007 GEOINT Symposium on October 23 in San Antonio, and shed some light on the direction in which national intelligence is headed.
He informed the gathering that the National Intelligence Coordination Center (NIC-C) opened earlier in October. The NIC-C, according to Dr. Kerr, is "a place to bring together all collection systems and agencies and will increase our opportunity to optimize deployment of our collection capabilities."
He described the discussions that took place at the closed door meeting of the heads of the National Security Agency (NSA), National Geospatial-Intelligence Agency (NGA), Defense Information Agency (DIA), and National Reconnaissance Office (NRO), in terms of the need for greater interconnectedness. The problem, as Dr. Kerr framed it, was that, "What we didn't have necessarily in our control was the ability to set standards that would allow for interoperability and interconnection. And to that end, we're now reaching out to the CIOs of the Department of Defense and the intelligence community."
In this way the NIC-C will be used "in terms of moving from a high level of thinking about our national priorities to being able to collectively task problems against the myriad of collection capabilities that this country has."
Dr. Kerr detailed the intelligence agencies' concerns about sharing information with each other, basically because each agency was afraid the other agency would leak information. And it seems that now there is less fear of that as the agencies are getting used to the idea of sharing information, saying, "we've started to bring down those walls as we require information sharing between intelligence, Homeland Security, and Defense agencies and law enforcement."
Dr. Kerr addressed privacy, and offered a new definition, preferring not to worry about old definitions. "Instead, privacy, I would offer, is a system of laws, rules and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change."
The best part was when he discussed the workers at ISPs and why anyone would not trust the government when "...they were perfectly willing for a green-card holder at an ISP who may or may not have been an illegal entrant to the United States to handle their data..."
In response to a question about the Intelligence Agency Advanced Research Projects Activity (IARPA), Dr. Kerr indicated that there might be an expansion of the model beyond the manner in which DARPA worked, saying, "It may not be the case that all of the science and technology needed for our community can be attained by grants and contracts. We may have to find other means as well." | | Facebook Launches Online Ad Tracking Campaign | | Facebook announced its "Facebook Ads" program. This allows advertisers to know users' activity on Facebook and also third-party sites in order that advertisers are able to deliver more targeted ads. The initiative is based on a technology called Beacon, and is an opt-out system.
Facebook claims that it has taken steps to stop misuse of the information they gather, though, "we of course cannot and do not guarantee that all platform developers will abide by such agreements." | | | | Yahoo Executives Answer to Congress | | The US House Foreign Affairs Committee was in rare form when questioning Yahoo CEO Jerry Yang and general counsel Michael Callahan.
The two were summoned to answer questions about the case of Chinese human rights activist Shi Tao. Mr. Tao was arrested by Chinese authorities after Yahoo handed over information to the Chinese government which helped them to ascertain his whereabouts.
Democratic Committee chairman Tom Lantos said, "While technologically and financially you are giants, morally you are pygmies." Republican Congressman Chris Smith compared Yahoo's actions with corporations that cooperated with the Nazis in the last century.
Mr. Callahan tried to explain to the Congressional committee that Yahoo had no choice in the matter, and that they had to obey the local laws of China. He also apologized for giving misleading evidence in the matter. He explained, "I cannot ask our local employees to resist lawful demands and put their own freedom at risk even if, in my personal view, the local laws are overbroad."
Mr. Callahan also noted that Yahoo's China operations are now run by Alibaba.com, a Chinese company, of which Yahoo only owns 40 percent. Cisco Systems and Softbank are also investors in Alibaba.com, and it is a publicly traded company on a Hong Kong exchange.
Mr. Callahan would not say if Yahoo would help Shi Tao and his family, nor would he say whether Yahoo has turned over similar information on other people, or how they would handle similar situations in the future.
Congressman Lantos then asked them if they would at least apologize to Shi Tao's mother, who was sitting right behind them, but they would not do that.
They did say however, that they would make things right by trying not to turn people's names over to the Vietnamese government when they open a business in Vietnam.
The case against Mr. Tao was such that his conviction landed him in prison with a ten year sentence. According to Chinese court documents, his sentence will end November 23, 2014. He was accused by the Chinese government of transmitting a top secret document to overseas news organizations. The document, as it had been smuggled out and published, is easy to find, both in translation and in the original Chinese.
The top secret document was a Communist Party list of instructions to news organizations on what stories to print with what slant.
As it turns out, he was lucky to only get ten years. According to the 'Verdict Document from the Middle Criminal Court, Changsha City, Hunan Province,' we see the following:
"The accused Shi Tao's defender claims, 'Based upon the fact that the accused Shi Tao's actions did not cause grave damage to national security and interests and the fact that the accused has admitted his crime, we ask the court to be lenient." Upon studying, this claim corresponds with the facts and therefore the court accepts the advice." | | U.S. Gets Canadian Company to Turn Over Information on Individuals | | Hushmail Communications, a Canadian company, turned over clear text copies of encrypted communications, having kept the users' passphrases.
Funny though, Hush, up until this incident, said no one, including its own staff, could access the content of encrypted emails it processes.
However, as it turns out, the OpenPGP and AES 256 algorithms are no match for those who have the keys.
In 2006, Hushmail introduced server-side encryption as a convenience for its customers, because they found that people were unable to easily use encryption when they needed to install a Java applet on their client machines. Or as the company maintains, using client side encryption was slow and annoying. (Insert your favorite convenience vs. security joke here.)
Therefore, with server-side encryption and the need for the customer to send the passphrase across the public Internet, those at Hushmail were able to capture and store the users' passphrases.
Even with the Java applet enabled performing client side encryption, there appears to be a mechanism with which Hushmail could extract the user's passphrase. This is implied in the Hushmail threat matrix, which states that if an attacker were able to compromise Hushmail's servers, that 'evidence of the attack' would be able to be found on a user's computer. Some read that statement to mean 'in the Java applet', and if that is the case, then there would be other information which could be recovered from the applet. And that is also assuming that the company is not forced to rig the applet with some other type of surveillance mechanism anyway... | | They Can Catch Music Pirates but They Couldn't Catch... | | The world is again safe from rampant Canadian music piracy as the Canadian Recording Industry (CRIA) successfully threatened the hosting company for Demonoid.com, a BitTorrent site. That is, according to the Demonoid front page which claims: "The CRIA threatened the company renting servers to us, and because of this it is not possible to keep the site online. Sorry for the inconvenience and thanks for your understanding."
Apparently a report commissioned by the Canadian government states that P2P file sharing is not causing CD sales to suffer.
The record industry surge seems to be working, however. They have kicked in doors in multiple countries, coordinating an international campaign, including raiding OiNK in Great Britain, and seizing eDonkey servers in Germany. And in the legal arena they scored a $220,000 judgment against a Minnesota woman. The question becomes, would a person who spends time messing around with music downloads have $220,000 in assets for the taking? | | They Did Catch One of the Founders of WabiSabiLabi | | There is quite a cast of characters involved in this scandal. WabiSabiLabi is the online auction site for security researchers and creators of exploit code who wish to get paid for their work. The entrenched interests don't like WabiSabiLabi because they want to hold the line at not paying for information regarding vulnerabilities in their products, preferring that the researchers hand over the information for free. Roberto Preatoni was one of the founders of the site.
Meanwhile, Fabio Ghioni, VP and security CTO at Telecom Italia was going around complaining that governments were spying on people and trying to control the population's behavior.
Neither of these guys is going to cause trouble for anyone, as they and some others are now charged with planting Trojans to steal data and spy on telecom execs, publishers and journalists.
| | | | | Our mission is to keep your business focused by helping you navigate the sea of security threats you face on a daily basis. Secure Anchor provides creative solutions that keep you ahead of the attacks and provide peace of mind that your critical assests are securely anchored. In addition we are busy developing software solutions to meet the threats of tomorrow. End your newsletter with a kick -- consider a postscript to reinforce one of the key product or service benefits. Sincerely, Eric Cole
Secure Anchor | | | |
| Pointsec Protector provides a policy driven mechanism that secures an organization's sensitive information by controlling data that enters and exits a PC or server via removable media and I/O devices on any port (USB, Firewire, IDE, Bluetooth etc). | | Are you??? | | 
| An Enterprise businesses or government agency | |
| In Banking/financial services, federal/local government, healthcare, business services, technology and/or manufacturing | |
| In control of devices connecting to machines in your network | |
| At Risk if Critical Data is lost | | | Do you Need to... | |
| Reduce financial risk of lost or stolen data on personal devices connected to PCs or servers | |
| Comply with regulatory mandates | |
| Integrate into existing infrastructure | |
| Reduce operating costs
Let us send you a FREE USB device which contains a discovery tool to detect what is your exposure to Data Loss. If you would like one just send us an e-mail at newsletter@secureanchor.com and we will send it right out. | | | | | "
DRM & Security
Posted by boss on Saturday, 10 November 2007 @ 00:00:00 EST (804 reads)
Topic Awareness Info
rajapaul writes "Digital Rights Management (DRM) , some prefer to say Digital Restriction Management,the debate is still on.
Some of you may have seen it discussed as "Technology Protection Measures"(TPM). The CD format has survived for more than 20 years as a straightforward way of distributing contents in digital form. To the chagrin of the industry, consumers can easily use their computers to “rip” files from CDs, encode the files compactly, and then redistribute them over the Internet.
For years,industries has sought technologies that could somehow hinder ripping or redistribution. "Digital rights management (DRM) is an umbrella term that refers to access control technologies used by publishers and copyright holders to limit usage of digital media or devices. It may also refer to restrictions associated with specific instances of digital works or devices. To some extent, DRM overlaps with copy protection, but DRM is usually applied to creative media (music, films, etc.) whereas copy protection typically refers to software." - Wikipedia
Why should we as a security professional care? We all are aware of the famous Sony-BMG Case,2005, USA. In October 2005, Sysinternals’ Mark Russinovich discovered a rootkit on his computer, which he later determined stemmed from a Sony-BMG compact disc. The DRM software also acted as a spyware apart from copy protecting CD's. Months after Sony got into trouble for using rootkit functionality in the DRM protection of audio media, the word ‘rootkit’ again hitting the headlines. This time the trouble comes in the form of DVD movies containing DRM software from Settec.
At the end of January 2006, German computer users started to post complaints to a public newsgroup about the DVD of the movie of Mr. & Mrs. Smith. Users had noticed the presence of a new protection system on the DVD, which was essentially based on two levels of security. The first was a physical protection on the disc surface (probably some kind of bad sectors), and the second was software protection installed on the machines by the autorun player. The messages posted on the public forum reported strange errors relating to popular DVD ripping programs in the presence of the aforementioned software. It didn’t take long for experienced computer users to understand what was going on.
One week later, the popular German news Web site Heise Online published the first technical analysis of the protection software found on the Mr. & Mrs. Smith DVD, which is named ‘Alpha-DVD’ and produced by the Korean company Settec. According to the first analysis, Alpha-DVD was using rootkit-like abilities to hide itself.
The music,video, software etc industries have their own reasons for Digital Rights Management. Being a security professional its our conscientiousness to take care of the both sides of the fence. Its our responsibility to protect our pc's and networks form being compromised.At the same time we should also understand the reasons behind the digital industry lobbying for DRM. "
AuditNet News for Auditors
Posted by boss on Friday, 02 November 2007 @ 16:10:30 EDT (850 reads)
Topic Awareness Info
cdupuis writes "November 2007
AuditNet News is sponsored by: PricewaterhouseCoopers TeamMate, a database-driven audit management system that streamlines the audit process by |
Main Library Area 
COBIT© Standard 
November 15th London CISSP