29. 7. 2004 - Withdrawal of DES
According to the National Institute of Standards and Technology (NIST) the strength of the (single) Data Encryption Standard (DES) algorithm is no longer sufficient to adequately protect Federal government information. As a result, NIST proposes withdrawing FIPS 46-3, which specifies the DES, and two related standards. Future use of DES by Federal agencies is to be permitted only as a component function of the Triple Data Encryption Algorithm (TDEA); however, NIST encourages agencies to implement the faster and stronger Advanced Encryption Standard (AES) instead.
21. 7. 2004 - Web application penetration checklist
The OWASP Project has announced version 1.1 of its web application penetration checklist. It provides a list of issues which should be included in any standard web application penetration test and will eventually be made part of the OWASP Testing Guide once released. The international versions of the penetration checklist are available for download on the OWASP download page at SourceForge: sourceforge.net/project/showfiles.php?group_id=64424&package_id=62285.
10. 7. 2004 - IT security spending guidance
The National Institute of Standards and Technology (NIST) has released Draft Special Publication 800-65 "Integrating Security into the Capital Planning and Investment Control Process", offering guidance in including security spending in information technology budget requests. The draft is available at csrc.nist.gov/publications/drafts/draft-SP800-65.pdf.
3. 7. 2004 - Rule Set Based Access Control
Linux kernel security extension - Rule Set Based Access Control (RSBAC) v1.2.3 has been released. Information and downloads are available from www.rsbac.org.
26. 6. 2004 - Two interesting reports from OECD
OECD Working Party on Information Security and Privacy has published its report on online privacy and practice www1.oecd.org/publications/e-book/9303051E.PDF and results of responses received from 21 member countries to the Survey on the Implementation of the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, which was issued in July 2003 www.olis.oecd.org/olis/2003doc.nsf/LinkTo/dsti-iccp-reg(2003)8-final.
25. 6. 2004 - Reports on client-side exploitation
Symantec has published two reports made by its DeepSight Threat Analyst Team. These documents describe instances of client-side exploitation. See tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCompromise.pdf and tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf .
13. 6. 2004 - New information security web log
New information security news blog aggregates information and news from over 30 security related sources. Updated daily. See infosec.volubis.com/.
11. 6. 2004 - New NIST Special Publication
The National Institute of Standards and Technology published new Special Publication 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories. Special Publication 800-60 is posted in two volumes. See csrc.nist.gov/publications/nistpubs/#sp800-60.
25. 5. 2004 - Website related to security issues of Internet Explorer and others
Security researcher Liu Die Yu created a website containing all messages that appeared on relevant forums (like BUGTRAQ) and are related to security issues of Internet Explorer, Outlook, Windows Media Player and Java Virtual Machine since 2000. The site is updated 3 times per day. See iebug.com/ or umbrella.name/iebug.com/display-homepage.php.
15. 5. 2004 - Honeynet Project's bootable CDROM
The Honeynet Project announced the beta release of the Honeywall CDROM - a bootable CDROM that contains all the tools and functionality needed to operate a honeywall. In addition to that the paper "Know Your Enemy: Honeywall CDROM" was released. This paper is an overview of the CDROM, how it works and is configured, issues and limitations, and several deployment examples. The Honeywall CDROM homepage is www.honeynet.org/tools/cdrom, and the paper is at www.honeynet.org/papers/cdrom.
9. 5. 2004 - Acoustic cryptanalysis
Cryptologists Adi Shamir and Eran Tromer found that acoustic emanations from personal computers in some context can be used to reveal secret keys. See www.wisdom.weizmann.ac.il/~tromer/acoustic/.
6. 5. 2004 - Security considerations for Voice Over IP Systems
NIST has released draft Special Publication 800-58 "Security Considerations for Voice Over IP Systems". This publication explains the challenges of VoIP security, and outlines steps needed to help secure an organization's VoIP network. To view or download this draft visit the NIST page csrc.nist.gov/publications/drafts.html#sp800-58.
20. 4. 2004 - Last part of security strategy released
The National Cyber Security Partnership Task Force has released a 104-page report with recommendations for the federal government and industry. The report is the last of five documents prepared by industry and academic experts on the President's National Strategy to Secure Cyberspace. Leaders of the Task Force were Mary Ann Davidson of Oracle Corp., Chris Klaus of Internet Security Systems Inc. and Edward Roback of National Institute for Standards and Technology. See www.cyberpartnership.org/TF4TechReport.pdf.
13. 4. 2004 - Checklist for the web application penetration testing
The OWASP Testing Project released new checklist to help organizations who are interested in performing or contracting for penetration testing on their web applications. This checklist provides issues that should be tested ... it does not prescribe techniques that should be used. See www.owasp.org.
3. 4. 2004 - A new security education organization
A new security education organization, Americans for a Secure Internet (ASI), has launched a website to educate individuals and businesses about cyber security issues. See www.protectingthenet.com/.
1. 4. 2004 - Open Source Vulnerability Database
The Open Source Vulnerability Database, a project to catalog and describe the world's computer security vulnerabilities, opened for public use on 31 March 2004. The OSVDB online system can be found at www.OSVDB.org.
24. 3. 2004 - New Benchmark for Windows XP
The Center For Internet Security (CIS) announced the public release of a new Benchmark (v.1.1.3) for Windows XP Professional and an updated Windows Scoring Tool (v.2.1.12). CIS Benchmarks specify technical security controls that strengthen a system's defenses against attacks. CIS Scoring Tools evaluate host systems, comparing their security configurations against the Benchmarks. Both the Benchmark and the Scoring Tool are available for download from the CIS web site www.cisecurity.org.
21. 3. 2004 - Scanner for detection of rootkits
New release of Rootkit Hunter, a scanner for detection of known and unknown rootkits, backdoors and sniffers is available for download at downloads.rootkit.nl/rkhunter-1.00.tar.gz.
9. 3. 2004 - How cyber technologies are exploited by Islamic terrorist groups
Technical Analysis Group at the Institute for Security Technology Studies at Dartmouth College has prepared a report entitled "Examining the Cyber Capabilities of Islamic Terrorist Groups". Copies of the report may be downloaded from: www.ists.dartmouth.edu/TAG/index.htm.
2. 3. 2004 - New security awareness posters available
Those interested in increasing user security awareness through various posters might find interesting a new collection of posters in .pdf format available for free download at: members.impulse.net/~sate/posters.html.
28. 2. 2004 - Security Metrics Consortium
A group of chief information security officers have formed an independent Security Metrics Consortium (SecMet) to develop quantitative metrics for network security. The main reason is that without security metrics network security experts cannot measure their success and also "what can't be measured can't be effectively managed". Those interested in SecMet are invited to check www.secmet.org.
26. 2. 2004 - New version of Nmap released
Popular Nmap Security Scanner has undergone many substantial changes since 3.00 and is now available as version 3.50. See www.insecure.org/nmap/.
6. 2. 2004 - Passive information gathering in penetration testing
Next Generation Security Software ltd. have made available a technical paper covering an often skipped phase of pentesting - Passive Information Gathering. The paper is available for download at: www.nextgenss.com/papers/NGSJan2004PassiveWP.pdf.
28. 1. 2004 - Top ten web application security problems
OWASP (The Open Web Application Security Project) released its updated list of the 10 most critical web application security problems. OWASP created this list to help organizations understand and improve the security of their web applications and web services. See www.owasp.org/documentation/topten.
22. 1. 2004 - Information security trends for 2003
On the base of analysis of messages on various information security mailing lists A.Usher has created a visual depiction of INFOSEC community trends over time. The report can be viewed at www.sharp-ideas.net/research/infosec_zeitgeist.html.
20. 1. 2004 - Discussion of legal issues related to security research
New mailing list for discussions of the legal issues surrounding security research has been established. See seclegal.jscript.dk/.
18. 1. 2004 - ISO 17799 and web application security
OWASP (The Open Web Application Security Project) ISO 17799 project will document how ISO 17799 can be applied to the process of designing, developing and deploying web applications in production. Expected end of the project is March 2004. See www.owasp.org/documentation/iso17799.
4. 1. 2004 - Guide for mapping types of information and IS to security categories
U.S. NIST (National Institute of Standards and Technology) has released the first draft guidance designed to help agencies determine the appropriate levels of security for their systems - NIST Special Publication 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories". See csrc.nist.gov/publications/drafts.html.
27. 12. 2003 - FIPS certification for OpenSSL
U.S. NIST (National Institute of Standards and Technology) has granted the cryptographic module of OpenSSL FIPS Level 1 certification. See www.gcn.com/vol1_no1/daily-updates/24504-1.html.
22. 12. 2003 - Security awareness tips web site
The following site randomly displays information security tips. It can be used to educate user community. Refresh the page to see the next tip. See www.gideonrasmussen.com/sectips.
8. 12. 2003 - First mailing list dedicated to the discussion of patch management
The PatchManagement mailing list discusses the how-to's and why's of security patch management across a broad spectrum of operating systems, applications, and network devices. To subscribe to the list, visit www.patchmanagement.org.
30. 11. 2003 - New mailing list for secure application development
New and free resource to the software security community, the SC-L email discussion forum has been created. To subscribe to the list follow the directions on the form at www.securecoding.org/list.
23. 11. 2003 - Security awareness resources
New site dedicated to increasing security awareness among the general population and in the technology community is at www.ussecurityawareness.org.
20. 11. 2003 - 2002 Turing Award Lecture available online
The 2002 Turing Award was presented on June 7, 2003, to Drs. Ronald L. Rivest, Adi Shamir and Leonard M. Adleman, the developers of the RSA algorithm, for their seminal contributions to the theory and practical application of public key cryptography. The 2002 Turing Award Lecture by the winners of ACM's most prestigious technical award is now available online in a variety of formats at www.acm.org/turingawardlecture/RSA/.
6. 11. 2003 - Article on how to develop secure programs
D.A.Wheeler's article "Secure Programmer: Validating Input - Best practices for accepting user data" is now available at www-106.ibm.com/developerworks/linux/library/l-sp2.html.
29. 10. 2003 - Tips for developers and source code auditors
Microsoft published a new white paper, "Expert Tips for Finding Security Defects in Your Code," written by company program manager Michael Howard. It's available at msdn.microsoft.com/msdnmag/issues/03/11/SecurityCodeReview/default.aspx.
22. 10. 2003 - Electronic signatures: Final report available
The final report on legal and market aspects of electronic signatures in Europe has been published by the European Commission on the e-Europe website europa.eu.int/information_society/eeurope/2005/index_en.htm.
19. 10. 2003 - Steganography in Russian
Those interested in steganography who do not mind reading Russian may try the first Russian steganography book available for download at steganbook.narod.ru.
9. 10. 2003 - Updated SANS Top 20 Internet security vulnerabilities
This updated SANS Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX and Linux. Also, at the end of the document, a list of commonly probed and attacked ports is added. Blocking traffic to these ports adds an extra layer of defense that helps protect from configuration mistakes and oversights. See www.sans.org/top20/.
7. 10. 2003 - Trusted Computing white-paper
Exhaustive, well-reasoned, balanced analysis of Trusted Computing is available at www.eff.org/Infra/trusted_computing/20031001_tc.php.
6. 10. 2003 - New FAQ on worm/worm containment
New FAQ on worms and worm containment by Stuart Staniford is available at www.NetWorm.org/faq/.
3. 10. 2003 - New guidelines for the handling of electronic evidence
The Association of Chief Police Officers in the UK has issued a new set of guidelines for the handling of computer based electronic evidence. It's at www.nhtcu.org/ACPO%20Guide%20v3.0.pdf.
Continue...
