Archiv der Kategorie: English
How Effective Are Child Car Seats?
Steven Levitt, after looking at a vast amount of accident data, is convinced that child car seats are pretty useless for children of ages >2. His TED talk teaches important lessons on how we think about safety equipment.
Many thanks to reader Doppelfish for digging this video out.
Don’t worry!
50 Ways to Inject Your SQL
(direct link, found here)
Cryptography for Penetration Testers
SOX – the new security standard
Sock security has been troubling me for a long time. Endless sundays I have spent with the fight against the single sock syndrom. But those days are over. Thanks to a colleague I have discovered sockstar, the revolutionary tool to improve the lower department of your wardrobe-BCM – a simple thing that just does what it should, if you manage to integrate it into your business processes… [end of commercial] http://www.sockstar.de/
Can We Say »Don’t Worry«?
Freeman Dyson, being interviewed about his climate catastrophe skepticism, claims that some professions have trouble shrugging off issues as unimportant. He thinks there be a natural tendency to magnify threats:
»Really, just psychologically, it would be very difficult for them to come out and say, “Don’t worry, there isn’t a problem.” It’s sort of natural, since their whole life depends on it being a problem. I don’t say that they’re dishonest. But I think it’s just a normal human reaction. It’s true of the military also. They always magnify the threat. Not because they are dishonest; they really believe that there is a threat and it is their job to take care of it.«
Obviously, computer security is another candidate. Paranoia is the norm in our subculture, we love to carry a better safe than sorry attitude. To an extent this attitude is justified by experience; there are many case studies of security not being taken seriously, leading to epic fail. Yet, more security technology is not always better. Do we have tools to reasonably say: »Don’t worry,« and justify our recommendation based on facts?
Security Experts: LEAVE YOUR PASSWORDS HERE
Seen by some cctv-cameras in the backgrounds and a colleague at this year’s Infosecurity Europe in London – „Europe’s No. 1 dedicated security event“. Ah those security nerds just know no fear…
The Mathematics of War
According to Sean Gourley this is the formula of war:
P(x)=Cx-α
In this formula, P is the probability of an event, x the number of people killed in the event, and α a value representing the structure of the conflict. Here is his talk of only seven minutes:
In einem Wort
Douglas Adams: Parrots, the Universe and Everything
Psychic Spoon Bender
Writing Cyberwarfare Articles
Foreign Policy net.effect: 10 easy steps to writing the scariest cyberwarfare article ever (via 1 Raindrop)
In einem Wort
Note to self
»The idea of Shutdown Day project is simple – just shutdown your computer for one whole day of the year and involve yourself in some other activities: outdoors, nature, sports, fun stuff with friends and family – whatever, just to remind yourself that there still exists a world outside your monitor screen.«
PS:
In einem Wort
Steven Pinker: A brief history of violence
10 Essential Security Checks
A few days ago Oliver presented his 10 essential Web site checks. Except for a few very basic things I didn’t see security on his list, so here are a few essential security checks for your Web site. You will have to scale them to your needs; the Web site of your local juggling club won’t need the same level of security as an Internet business built around a Web application.
- Understand your threat profile
Understand who might be your enemy and what would be the impact on your Web site and the users of your Web site if an attack succeeds. Don’t be overly paranoid but be honest to yourself. - Use SSL
Although it has its limitations, SSL is a standard security mechanism today and there is almost no excuse for not offering it to your users. It won’t solve all your security problems but it is useful. - Have a person in charge of security
Security requires continuous attention throughout the life cycle of your site. Somebody should be responsible for security, and this person must have sufficient authority to be more than a fig leaf. - Baseline protection
Don’t forget the simple things: backup, patches, secure configuration, etc. Be aware, however, that baseline protection will not make your applications and your own code any more secure. - Build security in
If your Web site serves more than a set of static pages, you must build secure software. Security is not a box in your architecture diagram, it is a set of rules and best practices for software development. - Test early and often
Everybody makes mistakes, and so will you. Have somebody to point out those mistakes to you before the bad guys find and exploit them. Do not rely on automated scanners too much. They are useful but limited. - Be hacker-friendly
The best security testers you can get are white-hat hackers who happen to find issues on your site. Be accessible, properly credit those who helped you, and don’t sue the messenger. Don’t be too proud of not having been hacked, though. - Don’t annoy your users
The point of security measures is to make attacks hard. Their point is not to make legitimate use of the site hard. Putting unnecessary burdens upon your users will likely reduce your security—and the number of users. - Plan ahead for failures and disasters
They are out to get you and eventually they will. Know what to do if your security failed despite all your efforts. Have plans for incident handling, business continuity and disaster recovery. - Compliance is just that
Do not assume that compliance with whichever standard or regulation would be a replacement for actual security.
Homework assignment: pick one item and expand it into another list of 10.
In einem Wort
Phishing Scams in Plain English
How much security do we gain from Trusted Computing?
My colleague Jan is going to present our paper Attacking the BitLocker Boot Process at Trust 2009 (Oxford, 6th – 8th April). The paper is an improved version of the draft we presented at ETISS.
BitLocker is the volume encryption function built into recent versions of MS Windows. It is capable of using a Trusted Platform Module if the PC has one. Our paper describes five attack scenarios that using the TPM does not prevent from succeeding. Some are based on particular features of BitLocker while others rely on the implementation of authenticated booting that is currently used in Trusted Computing.
All five scenarios seem suitable for targeted attacks and require that the attacker can access the target system twice. Executing such attacks is thus roughly as complex as installing a hardware keylogger in the system and returning later to retrieve the sniffed password along with the encrypted data – or just the machine in a condition that permits decrypting the data on disk.
What makes our attacks interesting is the fact that they can be implemented in software. Ideally, Trusted Computing should reliably prevent such attacks from succeeding. However, a TPM does not prevent software from being modified. The TPM only compares measured states with stored reference data. This leaves several holes. For instance one can temporarily modify software and later restore the reference state, or modify boot components before the reference state is determined and stored inside the TPM. While such actions are useless in an opportunisitc attack where the attacker just grabs an unattended machine unprepared, a dedicated attacker might take advantage of them.
Update 2009-12-03: There is a more comprehensive explanation in a later post.
TAIC PART 2009 deadline extended
The submission deadline for the Testing: Academic and Industrial Conference – Practice and Research Techniques (TAIC PART 2009) conference has been extended. The new deadline is April 10, 2009.
Sicher ist sicher? 