Friday, November 23, 2007

The most annoying security procedures

According to a Swedish survey with 1200 participants, these are the three most annoying security procedures that are enforced at companies:

...change password: 43%
...the USB port is blocked: 42%
...not being able to select password: 41%

I certainly agree with the first one... it is annoying, because it is hard to remember all passwords at different places.

Posted by Tomas at 8:48 PM 1 comments
Labels:

Thursday, November 15, 2007

Security Architecture Analysis

When I have been looking for work related to my research I stumbled over this survey from the Australian government: A Survey of Techniques for Security Architecture Analysis. It's quite an interesting survey. Only too bad that it is rather old from 2003. However, It contains a lot of interesting stuff and I have not found any other paper that covers as much work in this field in the same context. The abstract of the survey says (my layout and emphases):

This technical report is a survey of existing techniques which could potentially be used in the analysis of security architectures. The report has been structured to section the analysis process over three phases:
  • the capture of a specific architecture in a suitable representation,
  • discovering attacks on the captured architecture, and
  • then assessing and comparing different security architectures.
Each technique presented in this report has been recognised as being potentially useful for one phase of the analysis. By presenting a set of potentially useful techniques, it is hoped that designers and decisionmakers involved in the development and maintenance of security architectures will be able to develop a more complete, justified and usable methodology other than those currently being used to perform analyses.
Does anybody know of any other work that covers all the three phases above?

Posted by Tomas at 6:41 PM 0 comments
Labels: , , ,

Wednesday, November 14, 2007

Computer Security Strength & Risk

Previously on this blog I have related to an ongoing discussion on risk analysis with FAIR. Also related to this problem is this doctoral dissertation at Harvard university from 2004:

http://citeseer.ist.psu.edu/631841.html

In this dissertation the author suggests an economical model to measure security of a software product. By deriving an upper and lower the bound for the price for finding a new vulnerability he is able to set a value of a vulnerability and a higher value means a more secure product.

My questions are: Has anybody implemented ideas similar to this? What do you think of such an approach?

Posted by Tomas at 10:17 AM 0 comments
Labels: , , , ,

Monday, October 8, 2007

Citrix vulnerability

Richard's recent post at TaoSecurity pointed me to this interesting blog entry:

CITRIX: Owning the Legitimate Backdoor | GNUCITIZEN

I have found the explanation for why it is easy to hack a citrix server at Citrix Systems Inc
Citrix’s passion is to simplify information access for everyone. As the only enterprise software company 100% focused on access, this is also our unique passion.

... Higher Productivity—Users need access to be invisible. They want easy, on-demand access from wherever they are, using any device and network.
So Citrix wants to simplify information access for everyone and make the access invisible, and Citrix does it with passion...

Posted by Tomas at 9:17 AM 1 comments
Labels: ,

Wednesday, September 19, 2007

Poor Macbook thieves

Thieves had stolen a set of Macbooks from a school in the northern Sweden according to this Swedish newspaper:

Macbooktjuvar klev rakt i fällan - IDG.se

However, what they did not know was that software from Orbicule had been installed. With this software they could among other things identify the computers new IP addresses and send pictures of the thieves from the built-in webcam. Then it was easy for the police to identify the thieves and capture them.

That is kind of an intrusion response system!


Powered by ScribeFire.

Posted by Tomas at 10:27 AM 1 comments
Labels: , ,

Psychological warfare

From Anton Chuvakin Blog I read the following blog entry Why Security Is Useless. This is probably true, but that also makes me think: "well, then the only reasonable thing is to give up security". This resembles psychological warfare. As the Borg in Star Trek says: "resistance is futile"

Powered by ScribeFire.

Posted by Tomas at 9:50 AM 0 comments
Labels: ,

Tuesday, September 18, 2007

Sweden the third most used country for cyber crime

Sweden has according to a Swedish newspaper a lot of servers that are used for crime acts. Third position this year, last year we has the second position...

Kriminella avancerar på nätet

Chockhöjning av nya virus...

Well, I hope this might increase the funding for computer security at large and specifically intrusion detection.

Posted by Tomas at 5:46 PM 1 comments
Labels: ,
Subscribe to: Comments (Atom)