Michael Howard on Silver Bullet Security Podcast

So Gary cornered Michael and got him on the latest Silver Bullet Security podcast. Welcome to the club. :)

Its got some great little nuggets of information. I loved the point that security is about man vs man, not man vs machine. So true. And if you want to learn why some of the Vista security underpinnings are there, listen to learn about the idea of damage isolation and the way many layers of security now reduce the severity of potential vulnerabilities that we just don't know about yet.

Great podcast. Good job to both Gary and Michael on an entertaining 30 minutes.

NIST Log Management Guide 800-92 is Final!

Anton points out that NIST has released SP800-92 ("Guide to Computer Security Log Management") in its final form.

This is good news. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout a business. Although like typical NIST documents its focused on the enterprise, I believe there is good guidance here that even small businesses can take advantage of.

Happy reading!!!

Black Dog: Watch out for his "byte"

Found a really kewl embedded Linux device today called Black Dog that powers off of the USB port of a PC. It can then load an Xserver into memory on a Windows machine, and project the output from the Black Dog server to the Windows host.

I see some real potential here. It even has a biometric sensor to "unlock" the device to continue use from one machine to another. (Although we all know my thoughts on biometrics alone)

For me, this could make an EXCELLENT infosec mobile platform. I could run all my infosec tools on any machine I sat down on, with very little software fingerprint to the host OS. Only problem I see is that it leverages the host network adapter, which means I couldn't do low level RAW socket stuff on XP.

They have a short demo showing how this works. Check it out.

If anyone wants, this could make a kewl early XMas gift for me :)

Static code analysis for web apps

Over at Security Compass they have released "Securitycompass Web Application Analysis Tool", or SWAAT for short.

It is a FREE static code analysis tool that will parse PHP, ASP and JSP files, looking for possible coding defects in the code.

I downloaded it and gave it a try on my ASP.NET 2.0 directories, and it couldn't pick them up at all. Checking their FAQ it says it supports .NET 1.1 or above... but I am thinking they mean ASP, and NOT ASP.NET. You may have better results.

If you are a PHP developer you may have better results. It looks like from their examples that this was what the tool was originally targeting for. It is in beta, and I caused a bunch of exceptions just trying to run it. ie: You have to run swaat.exe from their base directory, you can't call it with an explicit path, as it fails with an IO exception.... not being able to load the XML files. It is a beta, so I won't be to critical on that at this point.

You can download SWAAT here and give it a try. You might have better results than I did.

Developing Applications using Windows Authorization Manager

Up on MSDN they just published an article that explores techniques for developing with authorization manager, a role-based application framework which provides runtime access validation methods, storage, and a UI to manage access control.

Authorization Manager provides a high-end authorization solution for .NET applications and COM applications. Authorization Manager supports the use of Windows integrated, Active Directory Application Mode (ADAM) authentication, Active Directory Federation Services (ADFS) claims aware applications, and SQL Server or custom authentication. The Authorization Manager runtime is separate from the authorization policy store, which may be stored in Active Directory, ADAM, or XML.

If you are an architect or developer involved in application authorization design and implementation efforts, you might find this article interesting.

Mythbusters: When biometrics fail

Every watch MythBusters? Its a great show. I quite enjoy it.

It's not often that they do something that crosses into my realm though. Of course, recently they DID beat a biometric fingerprint door lock:

Biometrics alone is not enough. You need more factors (like an external PIN) so that along with "something you are", there is "something you know".

Absolute security is a myth. With enough time and resources, most systems can be beat. Adam and Jamie showed that.

Sleuth Kit now has Windows binaries

Oh this is kewl. The OSS project Sleuth Kit now has binaries for Windows.

If you don't know, Sleuth Kit is an excellent set of OSS computer forensic tools to help you investigate data on harddisks. My favorite tool is mactime, which lets you build a timeline of access to a file, helping to determine just what an attacker did on the system.

If you can't afford EnCase, Sleuth Kit is a powerful set of tools you might find useful. Check it out.

Google developing eavesdropping software

The Register reports that Google is working on software that can listen to background noise from your TV and deliver contextual advertising based on what you are watching. By converting the sound from you PC microphone into a digital fingerprint to identify the TV source, they hope to deliver content-based ads directly to you.

Anyone else see anything wrong with this? Besides the privacy issues, this is just begging to be abused by other authorities.

It reminds me of the covert webcam kernel driver I wrote for an agency years back that took secret snapshots of people who wrote "words of interest". You just know no good can come of this.

Lets just hope Google dosn't hide this in some 50 page EULA for their toolbar or something. Be honest and let us decide if we REALLY want it.