Month: February 2008

Chris Hoofnagle, of the Berkeley Center for Law And Technology just published a fascinating report entitled "Measuring Identity Theft at Top Banks." If you have not already, and you are at all interested in security and privacy, you owe it to yourself to read the report. It analyzes identity theft reported to the Federal Trade Commission to start developing an understanding about which institutions have more of it. Chris is very clear that this is a first version of the report and that it needs to be extended and expanded, and even lists a number of weaknesses of the current methodology … Continue reading Measuring Identity Theft

Yesterday the editor from the IT section at Amazon.com sent me some questions about the Windows Server 2008 Security Resource Kit. The answers will eventually go on the book detail page. The questions, particularly questions 3 – 6, were interesting and thought-provoking, so I thought I would post them here as well. Question 1:The credentials of the contributors to Windows Server 2008 Security Resource Kit are quite impressive (six of the 12 are Microsoft MVPs, and the others are all either current or former product group employees at Microsoft). How important was it to assemble such a group for this … Continue reading Q&A with Amazon about the Server 2008 Security Resource Kit

Last Friday the last of the Windows Server 2008 Security Resource Kit finally went to press! This was a project I had not really planned and so, to complete it in time, I brought in an amazing crew of co-authors. Together, we managed to put together 17 chapters on how to manage security in one of the most exciting products this year.  The contributors to the Security Resource Kit are: Jimmy Andersson – Principal Advisor at Q Advice AB and Microsoft Active Directory MVP Susan Bradley – Small Business Server MVP Darren Canavor – Software Architect in the Windows Security group … Continue reading Resource Kit Done!

The big security news this week is the six vulnerabilities found in various image uploader ActiveX controls. In case you haven't seen the news, there are exploits available publicly for remote vulnerabilities in five different ActiveX controls. US-CERT is offering the, relatively unhelpful, advice that users disable all ActiveX controls in their browser. Doing so would have the effect of disabling a lot of things, notably virtually every corporate expense reporting application. Your users will probably have a thing or two to say about that. You can mitigate that by adding all the sites users will ever need to the Trusted … Continue reading Mitigate the Image Uploader Vulnerabilities

A few years back I caused quite a stir when I mentioned in passing during a presentation that writing down your password is a really good idea. A journalist in the room decided that saying so qualified me as insane, and my employer sending an insane person all the way to Australia to give a presentation was newsworthy, so he drummed it up far bigger than it really was. I still maintain that writing your password down is the only sane thing to do. At last count, I have 114 different passwords, for different systems, and those are only the ones … Continue reading Write down your passwords

At last, there is a biometric authentication technique that cannot be stolen. Or, well, it can, but at least it won't work any longer. Drs. Philip M. Rodwell and Steven M. Furnell recently published "A non-intrusive biometric authentication mechanism utilising physiological characteristics of the human head" in Computers and Security (vol. 26, pp. 468-478). The technique, drawn from Dr. Rodwell's research, involves measuring the resonance of human speech as modulated by the geometry of the head it originates in. In other words, while pure voice recognition involves measuring things like cadence, volume, and pitch; and can be capture by high-definition … Continue reading Theft-proof biometrics