January 2007 - Posts
From:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009784&source=rss_topic82
January 30, 2007 (Computerworld) -- The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data.
But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen."
According to Tringe , the compromised server had "several weaknesses that could have been exploited," including a missing Microsoft Corp. security patch, she said. "Unfortunately, we have no way to determine what particular weakness was exploited."
Patches are here:
EFS is here:
Protecting Data by Using EFS to Encrypt Hard Drives
Bitlocker is here:
Windows BitLocker Drive Encryption Step-by-Step Guide
Application Based Encryption is here:
Cheers
It is not about the OS or Development Platform rather about what you do with this and how easy it can be done
Please, read this Security no matter what the OS
And then go for these depending on who you are at current moment:
Home Users:
IT folks:
Developers:
Cheers
I've previously blogged about SOA Security Inside Enterprise walls
This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair:
- I want to manage my creds that I use to authenticate with the partner's web service in secure way
- I want to pass it it over the wire in secure standard way
- The partner won't do any major changes to his authorization schema inside the web service
- Authorization schema must be easy to managed and standard
Without any hesitation I've gone to the following topic -
How To: Call a Web Service Using Client Certificates from ASP.NET 1.1
and implemented step by step what was described. In the code you see that one needs to export client certs. Customer's concern was about how safe the cert is, no worries - it is getting exported without private keys:
Last thing what I needed to do is Web Service authorization, so what I've done is I mapped the client cert to windows account on the web service machine like this:
Then in the web service code I've applied standard Role demands (well specifically here I demand specific user, but it could be group too like "...Demand, Role =@"myServer\Group8"")
And when the app was calling the web service method it was picking the client cert and sending it over to the web service which in turn was mapping it to windows account and the principal permission was applied to this account. When I was calling HelloWorld1() everything was fine since it was protected by user demand to which the cert is mapped to, on other hand HelloWorld2() was rejected since the cert I was sending is NOT mapped to that user. Man, these are those rare moments that I am happy to see exceptions :)
Conclusion:
Using minimal of coding (client side - couple of lines, server side - one line for each method) and standard configurations of the infrastructure I've achieved:
- On caller's side the creds are managed in standard secure way - the client cert sits in User Store
- Client certs authentication is considered one of the strongest authentication mechanisms
- All the data goes over secure communications - SSL3
- Web Service utilizes standard .Net authorization mechanisms which required no coding (almost)
Now tell me why it is not COOL :)
Cheers
http://www2.csoonline.com/blog_view.html?CID=28334
"The Tower Group, a research and advisory company focused on the financial services industry, believes that many mobile commerce offerings now emerging from the financial services sector "lack a reasonable and justifiable focus" on mobile security."
Great!! We share our beliefs :)
Cheers
Boeing develops their line of business applications using a standard software development lifecycle process, which incorporates Microsoft Threat Analysis and Modeling to enable secure system design. Using this application, Boeing is able to provide focused and contextualized guidance to application development teams to aid in the process of building and maintaining secure systems.
More Application Threat Modeling, and even more here
Cheers
http://www.forbes.com/security/2007/01/19/identity-theft-security-tech-security-cz_bs_0122identity.html?partner=rss
"Identity theft is the information age’s new crime."
"Security technologies can work wonders in preventing identity theft, once the economic incentives to apply them are there."
"To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity, which is in the best position to mitigate the risk, responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.
Doing anything less simply won't work."
Heard of PCI and other compliance beasts? it talks about what to do.
And here is how
Cheers
This time it is large retails chain which "suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad"
The result: "Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach."
Building new retail software or supporting the current one? - Security Engineering is your friend
Cheers
...on other hand "you can't always get what you want" :)
In my case - I asked and I got what I wanted
So if you care about your application's security shape - go ahead and download Guidance Explorer today.
Thanks JD!
Cheers
Although passwords are weakest way for authentication one can raise the security bar by creating strong passwords that hard to crack.
Here are some guidelines from guidance explorer for creating strong passwords:
- DO use a password with mixed-case letters. Use uppercase letters throughout the password.
- DO NOT just capitalize the first letter, but add uppercase letters throughout the password.
- DO NOT use a network login ID in any form (reversed, capitalized, or doubled as a password).
- DO use a password that contains alphanumeric characters and include punctuation, such as ! and $.
- DO NOT use your first, middle or last name or anyone else’s in any form. Do not use initials or any nicknames.
- DO NOT use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
- DO use at least seven characters.
- DO NOT use other information easily obtainable. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
- DO use a seemingly random selection of letters and numbers.
- DO NOT use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
- DO use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal a password by looking at the keyboard (also known as "shoulder surfing").
- DO NOT use dates e.g., September, SEPT1999 or any combination thereof.
- DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.
- DO NOT use keyboard sequences, e.g., qwerty.
- DO NOT use a sample password, no matter how good, from a book that discusses information and computer security.
- DO NOT use any of the above things spelled backwards, or in caps, or otherwise disguised.
- DO NOT reveal a password to anyone, as this automatically invalidates it's strength.
Created your password? You can check its strength here (no one is collecting it...):
Password checker
Cheers
...Michele Norin said, director of University of Arizona center for computing and IT.
As a result of the breach :
"The University of Arizona detected unauthorized access into computer systems on campus, which temporarily has affected some services in three areas. Those areas include Procurement and Contracting Services (PACS), the Student Union and University Libraries"
I'll tell you how hacker got into the system:
on the host level I believe they could use metasploit project compromising unpatched software like operating system, network, database web server etc.
How to protect? Subscribe and patch your systems on regular basis.
Another way to compromise is to subvert the applications themselves, for example OWASP.ORG describes 80+ attacks.
How to protect?
Apply Security Engineering when developing your application or ask for Security Engineering when buying custom tailored solutions from Software Integrators.
Cheers.
I was tagged by JD Meier as part of blog-tag chain. So here is my full disclosure for 5 things about me:
- I was born in Soviet Union (Da, Russian is my mother tongue). I speak fluently Hebrew, English, and learn French when in traffic jam listening to this disk.
- First and the last time I played such pyramid game was when I was 13. I asked my father for ten rubles, put it in envelop and sent it to some address hoping it will come back as 1000 rubles. It did not...
- I am a big fun of stout like Guinness and Murphy's and also love Czech beer like Starobrno and Kozel
- I was doing Judo since I was 13 to 20 so I think we can set a match with JD to check his Thai kickboxing skills next time I am on Redmond campus.
- I think that Duke Nukem is 3d game of all times. I wish it'd be available on XBOX.
"I'm Duke Nukem, and I'm coming to get the rest of you alien bastards!"
:)
So here are my blog-tagged hommies: Yosi, Eliaz, Ohad, Eyal, Gadi
More Posts
Next page »