Rorschach.net

Microsoft releases security updates for their software on the second Tuesday of every month… unless something nasty warrants an early release. Well it’s happened with MS04-025. You can get the information and update from the Windows Security Updates for July 2004 page.

You really should be running Automatic Updates in Windows anyway. It is an effective feature that takes the guesswork out of which patches to load, but doesn’t let Bill into your computer to check and see that all your license keys are up to date or any other spyware-ish functions. If you like to do it the manual way check out Windows Update.

Yes, this is an update exclusively for IE, and no, Firefox or Mozilla aren’t affected. Nonetheless IE is still installed on your system, and you don’t want to have vulernable software on your system even if you use something else do you?

Don’t get hosed, take responsibility and update the systems that you own now.

DennyA over at the Quarter To Three Forums made me smile this morning. There’s a lot of talk about DOOM3 driving upgrades to PC hardware in order to fully experience the graphical glory that is Teh Carmack. This is for all the old school PC Gamers out there.

*** AmiBBS Station V 1.1 ***

Powered by phpBB 2.0.8 © 2001, 2002 phpBB Group


Come on folks… you’re giving humanity a bad name. If you can’t figure out how this big crazy Internet and email thing works out then maybe you don’t deserve it. Yesterday a “new” email worm classified as MYDOOM.M was released. This email worm is like the other 13 versions of the worm in that you need to execute the attachement in order to infect your system.

Let me be very clear here. Internet email is insecure. There is no assurance that the email address listed in the From: field actaully came from that person. Better yet, with worms like MYDOOM the code takes over your system so the email may have your address and may come from your system but you didn’t send it. Email cannot be trusted. Period. End of story.

Anti virus companies are reactive. Once a virus is identitifed then they scramble to update their product to detect and remove the new virus, but by definition they are always behind… some times a little, some times a lot, but never, ever in front of the viruses. Anti-Virus is not effective in all situations.

So it falls on you, savvy Internet user, to protect the Internet. It falls on you to recognize a suspicious attachment and not open it. Because if you fail in your responsibility, other people suffer. Enough people opened the MYDOOM.M files (and in some cases unpacked the zip then opened the file) that you broke Google. Let me state that again. You. Broke. Google.

Since enough of you out there don’t care about me and the rest of the Interet I’ll let you in on a little secret. I’m sorry folks but this is the truth: Every time you open a suspicious email attachment a baby bird falls out of its nest. I don’t know how else to put it. If you have any doubt, if you’re not expecting it, if there’s any reason not to open that attachement then don’t. The baby birds are counting on you… don’t let them down.

CryTek an unknown German dev house made the excellent Far Cry video game for the PC that was a sleeper hit of this year. Most of the PC gaming world is still waiting anxiously for Half Life 2 or Doom 3 and the jump to the next generation of graphics in your first person shooter. Far Cry brought the future yesterday with excellent visuals and even gameplay innovation with map sizes that are bigger than anything previously.

Now one of the 800lb. gorillas of the game publishing world EA has signed a strategic partnership with CryTek. Be careful my German friends. EA has made a career of partnering, then purchasing, then eliminating all identity of some great dev houses in the past. Kids these days don’t even know who Maxis, Westwood, or Origin are.

This one is especially for Dave. There is a ton of gameplay movies for the new RPG Vampire the Masquerade: Bloodlines. Yahoo! Games Domain has the movies and it looks pretty interesting if White Wolf vampires are your thing.

Supposedly, the game takes place during Ghenna, the White Wolf apocalypse that is allowing a reboot or 2nd edition or re-imaging of all the White Wolf lines.

For seven years of service to my employer I get a sabbatical which is four weeks paid vacation to better my life and come back to work refreshed and ready for another seven years. My wife and I decided to take at least part of this time and get out of the country. Specifically we’re going to go to Italy. My wife didn’t want to be herded around like cattle in a tour group, slavishly following an itenerary and obnoxious tour mates, whereas I did not relish the idea of cruising around the countryside in a rental car an ocean away from anything I’m familiar with and not understanding the local language.

Yes I’m a control freak. Some of my comfort level in any given situation is related to my understanding of the surroundings. It isn’t anything deblitating or even necessarily noticable, but if I haven’t thought through the scenarios and played some outcomes through in my head I’m a bit withdrawn as I assimilate current information on the fly and continuously update the “what-ifs”. In other words I like to know what’s around the corner. Maybe this is why Security is my chosen profession since I’m always assesssing the situation, motivations, probabilities and threats at any given moment.

Anyway after a bit of on line research we’ve found a happy medium. Independent tour packages where your itinerary, travel, and hotel are set, but you’re pretty much on your own within the city you’re visting. There may be a 1/2 day tour hitting the major sites, but for the most part you’re free to wander about and do what you want to do. It sounds like a nice deal, and reasonably priced so I’m getting pretty excited about the trip.

If you have interest in the larger realm of social software (where Livejournal, web logging, IM, and many other collarborative online communications and publishing concepts reside) I highly recommend following Many-to-Many a web log on social software from multiple authors including the very interesting and insightful Clay Shirky.

Security is often a new or not well understood concept for the individuals at a business or other environment that have the authority to acquire resources. In other words the executives often do not fully understand what the benefits of security are for a company. So it is the responisbility of the security team to “sell” security internally to acquire approval to implement the policies, processes, and technology to improve security.

In my experience there are three primitive drivers for selling security. Approaches to sell consist of at least one but more often a combination of primitives to get the point across.

1. Fear: potentially the most often used driver. If you don’t buy this system, we’re going to spend 2 million dollars cleaning up after the next virus attack.
2. Compliance: with the advent of security related regulations in the US (HIPAA, Sarbanes-Oxley) companies may be required by law to meet a minimum standard of security.
3. Value: security as a business enabler. By adding new business functionality or improvements in productivity you translate security value into business value that the non-security professional can understand.

Different people (remember your’re selling to people, not organizations) will react differently to each driver. Fear is very powerful, but it might backfire if the person thinks you are backing him/her into a corner. Compliance is complex and you must take the time to fully understand the impact of the rules or regulations to your specific situation, and can be limiting to the “letter of the law.” Value is a great driver if you can sell in this fashion because you are talking their language of revenue, productivity, functionality, efficency and the like instead of the foreign concepts of confidentiality, intergity, and availabliity.

So the next time you go sell security in your company, understand the mix of drivers in your message and anticipate the reaction. Know how you are selling and whom you are selling to in order to create a better chance of improving the security situation in your environment.

As the second Tuesday of the month, you get the latest batch of Microsoft Security Bulletins. If you don’t have Automatic Updates running on your Windows box, go to http://windowsupdate.microsoft.com and get the new patches. Most of the more common and nasty vulnerabilities (out of the 7) require user interaction (i.e. following a link to or browsing to a bad website) to exploit so it’s not too bad. The biggest problem is with a system running NT4 and IIS4, but if you’re still running that old broke down system, you’ve got bigger problems than a new vulnerability.

I am excited about the slew of Information Security concepts that fall under the heading of Identity Management. Not only am I invloved in such projects for my work, but I think there’s a good chance to see some interesting changes to how we interact in the online world. For a relatively new term Identity Managment is open to interpretation on what it exaclty entails. I’ll provide you my definition of Identity Management as I understand it from my research and experience.

Let’s start with Identity. As the most basic level identity is the collection of attributes that are associated to an entity to uniquely identify it. Name, birthdate, SSN, physcial description, are all attributes that define my identity. Identity can include skills and qualifications as well. Often a verification of identity is required in order to execute a transaction. This can be as ephemeral as recognizing your spouse’s face before telling a secret, but more often there is a rigid requirement to prove identity especially in commercial transactions. Since the vast majority of transaction partners do not have a record of all your identity attributes, and if they did it would be impractical to verify all of it, we often rely on credentials to verify identity.

Things get a little tricky here, so stay with me. Credentials are attributes of your identity, but they are assigned by external parties after your identity has been verified through other means. Sometimes a credential is accepted as proof of identity by the other party after a verification process occurs. For most everyone the first credential you received is your birth certificate. A birth certificate is a credential backed by the hospital in which you were born that lists various attributes of your identity (namely birthdate, name, parent(s) name, etc.) Credentials and identity attributes are all very recursive. You prove your identity to an agency to recieve a credential that becomes part of your identity that is presented to verify your identity and receive another credential to add as an attribute of your identity. Credentials that are backed by common and trusted agencies are most often used. Government issued credentials such as a driver’s license or military ID card are often used in the physical world to verify identity. The credential can be easily matched with the individual by matching the face presenting the credential with the picture on the credential. But I’m getting ahead of myself here.

Identity in the physical world has been used since the dawn of man. But online, when everything is reduced to 1s and 0s, how do you create identity? What is the unique attrbiutes in the online world that allows you to execute transactions with systems and people across the room or across the world? Next time I’ll post about Digital Identity.