Saturday, April 28, 2007

"Nation's Cyber Plan Outdated, Lawmakers Told"

Brian Krebs of the Washington Post has a blog entry, "Nation's Cyber Plan Outdated, Lawmakers Told," that discusses recent testimony to the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee.

"Palamida Launches Code Vulnerability Reporting Tool"

EWeek's article, "Palamida Launches Code Vulnerability Reporting Tool," discusses an open source vulnerability reporting tool from Palamida. This tool searches code for vulnerabilities found in the National Vulnerability Database.

Wednesday, April 25, 2007

Top Ten Famous Hackers's article, "Top 10 Famous Hackers", lists 5 black-hat hackers and 5 white-hat hackers. Can guess their names before reading the article?

Monday, April 23, 2007

"Feds urge tougher ID theft laws"

The Register's article, "Feds urge tougher ID theft laws," discusses the ID Theft Task Force's Strategic Plan to combat ID Theft. The Register article says:

The Center for Democracy and Technology, applauded some of the plan's provisions, but said the plan didn't go far enough. "The report lacks any holistic approach to fixing an outdated national privacy framework that is dangerously ill equipped to respond to modern privacy threats," the CDT argued on its website. "CDT continues to call for the enactment of a national consumer privacy law and for real enforcement of the Federal Privacy Act."

Sunday, April 22, 2007

To find the Danger,This Software Poses as the Bad Guys

The NY Times article, "To find the Danger,This Software Poses as the Bad Guys," discusses a static software analysis product from Veracode that scans binary code. Previous products from Fortify, Coverity and Watchfire perform static analysis at the source code level.

Saturday, April 21, 2007

"Stones Unturned: Gaps in the Investigation of Sarasota's Disputed Congressional Election"

Dan S. Wallach and David L. Dill wrote short article, "Stones Unturned: Gaps in the Investigation of Sarasota's Disputed Congressional Election," that discusses the 18,000 vote undercount the November, 2006 election. The executive summary states:

In total, the State's investigations have provided no persuasive explanation for Sarasota's undervotes. We recommend additional testing and analysis of both the software and hardware used in Sarasota. We also recommend analysis of ES&S's internal documents, including their bug tracking system and other versions (earlier and later) of their software. We estimate that this additional investigation could be conducted by an appropriate team of experts with about a month of work.

Friday, April 20, 2007

"Researcher: Tools Will Help Personalize ID Theft by 2010"

PhysOrg's article, "Researcher: Tools Will Help Personalize ID Theft by 2010," discusses a framework by Roelof Temmingh that uses transforms to help phishers. The idea behind a transform is that given a piece of data, such as a domain name, the transform can find a corresponding telephone number. This number could then be used in a piece of forged email from a phisher. (See also the eWeek article). Temmingh is the developer of the Wikto and Crowbar security testing applications.

Thursday, April 19, 2007

"State Department Got Mail _ and Hackers"

The AP article, "State Department Got Mail _ and Hackers," discusses a recent intrusion at the State Department's Bureau of East Asian and Pacific Affairs that started with an email attachment.

"The State Department detected its first break-in immediately, Reid said, and worked to block suspected communications with the hackers. But during its investigation, it discovered new break-ins at its Washington headquarters and other offices in eastern Asia"

Tuesday, April 17, 2007

"Notes on Vista Forensics"

SecurityFocus has an interesting article, "Notes on Vista Forensics," that discusses changes in Vista that will affect computer forensics professionals. New features in different versions of Vista such as BitLocker and the Encrypting File System (EFS) will make things a little more complicated.

Monday, April 16, 2007

"Researchers Explore Scrapping Internet"

The AP article, "Researchers Explore Scrapping Internet" mentions NSF's Global Environment for Network Innovations (GENI).

Informal analysis of Spam and Bot attacks

Risks Digest mentioned which has some interesting blog entries that include detailed analysis of spam from Fortune 500 sites include a list of ASNs for recent spams and DDOS attacks.

Tuesday, April 10, 2007

Serenity project: EU funded System Engineering for Security & Dependability project

"Serenity, an EU-funded project, also intends to build a broader community of stakeholders around its objectives and methods, to contribute to the project, provide feedback, validate its results and disseminate them."

"Serenity Forum provides:

  • up-to-date results of the SERENITY R&D teams (deliverables)
  • the latest news on Security and dependability issues within Ambient Intelligence environments
  • a unique opportunity to take part in the research through our on-line forum
  • a detailed presentation of the System Engineering for Security & Dependability project : its teams, its organisation, its approach and methods"

Suggested by Ruzena

Monday, April 09, 2007

"How to read signs of safe software"

Government Computer News's article, "How to read signs of safe software," discusses the DHS-DOD Software Assurance Forum meeting that was held on March 8 & 9. The article discusses two metrics from Microsoft, one of which is the Relative Attack Surface Quotient, or RASQ. For details about RASQ, see "Measuring Relative Attack Surfaces" by Jeannette Wing (a member of TRUST.)
The other Microsoft security metric:

"... informally known as the “vulnerability coverage method,” assumes the existence of an “outside community of researchers providing a stream of vulnerability reports on new versions of Microsoft products,” Lipner said. This external research community is a “euphemism for vulnerability finders that either report or exploit” vulnerabilities.

A Microsoft team analyzes each vulnerability reported and determines whether it has been removed from the product version under development and, if not, whether it ought to be, based on the risk it presents."

Saturday, April 07, 2007

"Don't use WEP, say German Researchers"

Infoworld's article, "Don't use WEP, say German security researchers," discusses the paper "Breaking 104 bit WEP in less than 60 seconds" by researchers from Technische Universitat Darmstadt. The method "needs far less data to find a key than previous attacks: just 40,000 packets are needed for a 50 percent chance of success, while 85,000 packets give a 95 percent chance of success." TRUST researcher David Wagner has also worked in this area. See also the Slashdot discussion.

Friday, April 06, 2007

"Opposition to Electronic Voting System Grows in France"

The NY Times article, "Opposition to Electronic Voting System Grows in France," discusses concern about the use of machines from the same manufacturer that made the machines involved in the 18,000 vote undercount in Florida. The NY Times quotes Rob Palmer, director of marketing and communications for ES&S-iVotronic as saying: "We have an extreme amount of confidence in our machines in France" ... "Our machines have proven themselves in thousands of elections in the United States and elsewhere." Ars Technica's article, "Congress finally considers aggressive e-voting overhaul" covers "Voter Confidence and Increased Accessibility Act".

Eugene Spafford honored by ACM

Eugene Spafford, a member of the TRUST Executive Advisory Board will be given the ACM President's award for "his enduring and impressive leadership in computer security, policy, professional responsibility, and the Internet". For details see

Monday, April 02, 2007

CRS Critical Infrastructures report updated

On March 13, 2007, the Congressional Research Service updated their report: "Critical Infrastructures: Background, Policy, and Implementation." This report covers the history of protecting critical infrastructure starting from the Clinton administration.