Category Archives: Security

023 – NRW07 – Michael Willers – On security and rootkits

Welcome to podcast #023. I’m talking with Michael Willers about security, rootkits and the NRW07 Community Conference held in Germany on the 24th of August 2007. Recorded live, just outside the conference venue (Die Börse in Wuppertal), there is some passing traffic. Please remember that Michael is graciously speaking English, his second language – I’m obviously very grateful to Michael for podcasting in English.

Oh, and Michael has a super MSDN watch!

Podcast feed – subscribe here!

This podcast:

Resources & Related Posts
MSDN Security Week

016 – NRW07 – Daniel Fisher on Community In Germany
020 – NRW07 – Vinzenz Feenstra – Grisoft – AVG
021 – NRW07 – Stephan Oetzel – On Community In Germany
022 – NRW07 – Frank Solinske – Windows Home Server
024 – NRW07 – Mischa Huschen – Dynamic loading of code, plug-ins/add-ins

Technorati Tags: , , , , , , ,

Hitachi 1TB drive – additional security to prevent theft

Over here, Ken writes about the recently released Hitachi 1TB drive.

We spotted one of these drives in our local PC World last week.

Interestingly, all the drives up to and including the 750GB unit where just sitting in brown boxes. Contrast this with the additional security that was installed for the 1TB drive:

Evidently the 1TB drive, which won’t format to give you 1000GB, must be a desirable item for the light-fingered fraternity!

It is a fairly tempting purchase, but at about £225 (at the time of writing), I’ll probably settle for a couple of 500GB units for a third of the price. Besides, one wouldn’t be enough, I could use two 1TB drives! Of course, with large hard drives becoming so commonplace, we must think about backup strategies – it’s all very well having 1000GB attached to your PC, what do you do when it goes belly up?

My simple advice: any backup that works is better than no backup. A simple backup regime would involve using an external USB drive and a program like Cobian backup. External USB drives are cheap enough these days, getting 500GB for under £70 is achievable. Just think of your photographs and all those iTunes bits that you’ve downloaded…backup is important.

Technorati Tags: , , , , , , , ,

012 – Security and forensics with Kroll’s Jérôme Torres Lozano

I was recently given an opportunity to visit a leading data recovery, computer forensics laboratory in the centre of London.

Before the tour of the lab, I was able to record a podcast with Kroll’s Jérôme Torres Lozano, a senior project manager at Kroll (Ontrack Forensics). In this podcast we discuss data recovery, computer forensics, electronic discovery (or disclosure), computer accessibilty, user friendly, law enforcement, wireless networking, secure file deletion (and reasons why you might want to securely delete files), advice for anybody embarking on a career in this domain and hard drive recovery using cleanroom facilities.

Download the podcast here. Transcript to follow.

I have a new podcast feed available too, you can subscribe to it here – and it works with Apple’s iTunes!

Related posts:
009 – Barry Dorrans – aka blowdart
013 – Alun Rogers talks to Tom and Deb Shinder

This podcast:

Further Resources
Kroll OnTrack
National Hi-Tech Crime Unit – now part of the Serious Organised Crime Agency (SOCA)
De Montfort University – Forensic Computing – BSc Honours

Technorati Tags: , , , , , , , , , ,

013 – Alun Rogers talks to Tom and Deb Shinder

In show 13, I simply hold the podcasting kit and let Alun Rogers conduct the discussion. It’s a lively debate between Alun and Tom and Deb Shinder; all three are Microsoft MVPs. We were on a bus heading back to downtown Seattle, so apologies for the background noise!

Download the podcast here. Transcript to follow.

I have a new podcast feed available too, you can subscribe to it here – and it works with Apple’s iTunes!

Related posts:
009 – Barry Dorrans – aka blowdart
010 – Community Podcast – Albert Tafila

This podcast:

Technorati Tags: , , ,

Facebook: seek and ye shall find

Over at Facebook, Robert Scoble, recently posted a video asking this question:

If you search for “Bill Gates” on Facebook you’ll find lots of entries. But, let’s say you were looking for the guy who started Microsoft. How could you tell which one is the “real” Bill Gates?

According to one comment on the video, your search is likely to lead you here: And, to answer your question: “no, I didn’t send a friend request to Bill”. That’s not to say we wouldn’t get on, I’m sure we would…I’d like to podcast with Bill, but that’s for another time!

Now Robert hasn’t told us anything that we couldn’t of worked out ourselves, therefore what he has done isn’t illegal. But what it does demonstrate is that even if you wish to remain anonymous on a social networking site such as Facebook, simply by looking at your circle of friends, an individual can easily find you. That’s not to say all social networking sites are like this. LinkedIn, for example, promotes the notion of “introductions”, whereby one of your “connections” can introduce you to one of theirs – you are unable to see the profile of the person you are being introduced to. Facebook, at the time of writing, suffers from poor privacy because I can easily view my friends friends and their friends too. With big names like Bill Gates, as Robert kindly demonstrates, I can easily work out who might know somebody and within a few clicks, voila, I have the person I am looking for. It’s just too easy.

Elsewhere in this blog I have already discussed the security concerns raised by the social networking sites. Microsoft’s Steve Lamb has picked up on it too, spreading his ammo over four posts relating to Facebook applications, Facebook friend requests, Facebook privacy and in the same domain, his mother’s maiden name. Clearly Steve is as worried about the opportunities that social networking sites are providing for would-be criminals as I am. There’s so much personal information available on the Internet already…now it’s just propagating as the masses swarm to the social networking sites leaving all sorts of personal information littered over a plethora of profiles. It’s a big problem.

My foray into the social networking world primarily revolves around Facebook (others are under consideration) and what its “value add” is in terms of Community. It has mileage, for sure. It’s a good thing, privacy and security issues aside. I do like it. But I have lots of questions: How is it affecting our daily lives? What are people getting from Facebook itself and from Facebook Groups? Why are there so many social networking sites? These are all questions I hope to answer over the coming months, but in the meantime, please feel free to comment about your experiences in the social networking world.

Technorati Tags: , , , , ,

Chris Seary’s Ten Important Tips for Securing a Web Application

I left my 5mp digital camera running at DDD5 and managed to catch all of Chris Seary’s session. The video quality isn’t that good, but if you use it in conjunction with these slides and this blog post you should be fine. The audio is reasonable.

I’m looking into getting a better camcorder that is more suited to this kind of filming. May be at the next DDD you’ll see me there with a camcorder! (PayPal donations will be gratefully received!)

Video: Ten Important Tips for Securing Your Web Application

Technorati Tags: , , ,

RBS Internet Banking – the card reader has arrived!

My Royal Bank of Scotland Internet Banking card reader arrived today. It a Xiring unit, a numeric keypad with a small LCD at the top and a slot for my bank card. More information about the Xiring products can be found here:

Using this kind of unit has the advantage of being totally independent of any operating system – listeners to my recent podcast with Barry may recall that we lamented about the fact banks often send out equipment that will only work with Microsoft Windows XP. These units have no physical connection to the PC, so will even work with the operating system used by Apple Macintosh computers.

Authentication before the card reader
Previously, I used a 4-digit PIN and an 8-character password. Authentication consisted of providing 3 selected digits from the PIN and 3 characters from the password. I was occasionally asked for additional characters if I wanted to do something that wasn’t a run-of-the-mill transaction (e.g. add a standing order). Essentially, this form of authentication relied on something I know. The trouble with this approach is simple: the bank also know this information. Which does leave it open to abuse, either via employees “taking it with them when they leave”, or the material simply appearing in the trash. I’m not saying that this has happened at the RBS, however it has happened to other banks, as is widely reported.

So what’s the authentication process now?
Well, nothing has really changed for day-to-day transactions. However, the following items require the use of the card reader: Add a new Payee, Amend a Payee, Create New Standing Order, Change Security Number and Change Password. I authenticate and login as I did before, however using any of the aforementioned features, I have to use my card reader. I insert my card, push the Respond button and enter my card’s PIN. I then have to enter a number into the card reader – it’s provided by the RBS Internet Banking web-site. Once I enter that number into the card reader and press OK, it then displays a number that I must enter into the web-site. There’s a better explanation over here.

So now, whilst the basic authentication remains the same, for certain features, the authentication is relying on something I have, in this case the card reader, the card and my card’s PIN. This makes it a little harder for those people who have discovered my on-line banking PIN and password to transfer money to a new payee.

I can only assume that the types of fraud that have been affecting the major Internet banking operations revolve around the creation of new payees, direct debits and standing orders. Certainly in the few cases I’ve been close to, the creation of a new payee followed by a single transaction, or more likely two transactions, this would ring true. This card reader will help alleviate those kind of fraudulent transactions. The need for a perpetrator to have my bank card and the PIN for it do add an extra layer of security. I won’t need the card reader that often, most of my payees are already set up, however it will mean that when I do need to add a new payee, I will need the card reader present.

What’s next? Bio-metrics: the third tenet of authentication, something you are, e.g. fingerprint, voice-print, retina scans.

More information

Further reading

Technorati Tags: , , , , , , , , , ,

009 – Community Podcast – Barry Dorrans: Win a ticket to TechEd

Yesterday, I managed to corner Barry Dorrans and convince him to let me record a podcast with him! Barry didn’t take much convincing…and as he admits himself, I took his podcast virginity!

Recorded live, in The White Hart near the Tottenham Court Road tube station. There were other folks in the pub, they didn’t know we were podcasting so you can hear them in chatting away in the background…apologies for that.

We talk about social networking, social networking fatigue, Facebook security, Cardspace, portability of cards, USB/smart card authentication, secure certificates, hardware authentication, BBC iPlayer (we touch on DRM for a second), UAC, Windows Vista, DDD5, conferences in Ireland, social security numbers, banks calling you and a whole host of other things. Barry’s a humorous guy who manages to inject that humour into this podcast!

Download the podcast here. Transcript to follow.

I have a new podcast feed available too, you can subscribe to it here – and it works with Apple’s iTunes!

Related posts:
Podcasting – great advice
001 – Community Podcast – Dave McMahon, NxtGenUG
002 – Community Podcast – Ravi Nar – VistaSquad
003 – Community Podcast – Guy Smith-Ferrier – DotNetDevNet
004 – Community Podcast – Barry Carr, Gary Short, Hamish Hughson – North East of Scotland User Group
005 – Community Podcast – GeekDinner/DDD5 – Adrian Sutcliffe
006 – Community Podcast – DDD5 – Mike Scott – Gary Short
007 – Community Podcast – GeekDinner/DDD5 – Four Cool Guys
008 – Community Podcast – Post-GeekDinner – Ben Hall – Chris Gaskell

This podcast:

Want to win a TechEd ticket? Try your luck here: NxtGenUG

Charteris plc
Robert Scoble

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Password security – even big names fail

Great mate Barry and I did a podcast yesterday. In and around the podcast, we chatted about password security, a subject not missed by fellow great mate Alan – he’s a great fan of pass phrases (i.e. a sentence instead of a single word). So yesterday, whilst in London, Barry picked up an Oyster card application form – I’m kind of interested in getting one, if only to maintain the stereotype of a Scotsman (although Mr Smeaton has changed that!)

Imagine my surprise at reading section 3. Password:

What’s this all about? A password is now called an answer. The password can’t be longer than 18 characters and cannot use spaces or punctuation? Adding a space or two and some punctuation is the first step to making a strong or secure password. Limiting it to 18 characters, including numerical values, rules out pass phrases (which are harder to guess and less prone to dictionary attacks). But, the other answers on this part of the form, can include spaces. Your mother’s maiden name? Does it have spaces?

Better wording of this question and more flexibility for the password are required…surely?

Technorati Tags: , , , , , , , , , , , , , , , ,

Help me hack a web-site…please?

Via, you have to wonder what sort of responses this kind of post would get:

Dear sir,

Please some body E-mail me how to hack another computer through my computer in the internet and how to get another computer IP address through in my computer and how to access to anther computer.

Please don’t misunderstand me, as I’ll never do unnecessary thinks if I learn this. I want to know and take knowledge about this. Please E-mai me – ****

Thank you,

I am amazed that people still ask this kind of question…and expect us to cough up with an answer.

[Update: Barry has just reminded me of a post over at his blog – where it seems that there’s a lot of demand for a tribalwars hack…]

Technorati Tags: , ,

Facebook – how honest are you?

I noticed on Steve Lamb’s blog, the day after I fired off a Facebook invite to him, that he has some security concerns with the Facebook registration mechanism. And rightly so. Were it not for a large element of honesty, it’s remarkably easy for me to sign up to Facebook and pretend to be somebody else.

Steve’s right to question this issue, it and many others have been on my mind for a while now: why do we have so many social networking sites and why do people sign up to them? What’s the attraction? What do we get back from them? How are they improving the quality of our lives? Are they adding any value to the community?

And if you don’t believe this, how do you know that this person is who they say they are? I’m sure that there are clues…but I could easily upload a picture of a celebrity, use their name and basically pretend to be them. Now there’s an experiment! Incidentally, both Steve and I would appear to be “one person removed” from the aforementioned person! [Update, it seems that Steve knows the aforementioned celeb! Or does he?]

Craig Cockburn also has similar concerns:

Did you know that if you upload your date of birth, hometown, occupation and High School info to a social networking site such as this one that you are giving a potential thief more than enough to commit identity fraud?

Anyway, I’m still writing the blog post that I mentioned here, expect this topic to be raised in that post too.

Technorati Tags: , , , ,