Roger Halbheer on Security
You might have read the articles how you can download security updates for Windows Embedded onto Windows XP to address vulnerabilities in Windows XP. This is an interesting problem. So, it is easy to force XP to download updates for a different OS. Is this now good or bad? Well, it is kind of both.…
DetailsTo start with the way I look at the answer of the question above: Yes, I think so. Basically, when you talk with people knowing the industry, the classical signature-based approach never even worked. It was able to detect a certain number of viruses, which typically is a just small percentage of what the technology…
DetailsI think I really do not need to comment this as the title itself says it all: US arrogance puts further doubt on cloud data sovereignty If you add some content, I just think they do not get it: New York-based U.S. Magistrate Judge James Francis last week ruled that local search warrants must include…
DetailsMaybe Heartbleed has the positive side-effect that users think about using different passwords for different sites (and then a password manager?) or websites start to think about using two-factor authentication? The downside typically is, that these effects tend not to last all too long… or how far did Snowden really change people’s behavior? Heartbleed’s silver…
DetailsThat’s a big “outch”: Be Careful what you Scan for! Just to quote SANS: After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed. However, their implementation of SSL…
DetailsI was doing quite some PKI projects in my former life. One of the key themes during the policy discussion and then afterwards in the implementation was always the way somebody can revoke a certificate and then how the revocation was communicated. Shall OCSP be used or shall we stay with the good old CRLs?…
DetailsThis is the first time, I had to go through an emergency update process of that scale – well better, my team went, I do not want to claim any success here for myself. I was basically just an observer. However, there were a few interesting things, which I learned during the last few days:…
DetailsI guess, you have have been through such meetings as well? At least I felt fairly often like that, when I was in consulting
Roger
The next development in the whole NSA discussion. The EU and Brazil decided to build a transatlantic cable between Europe and Latin America – as a reaction to protect privacy, they say. Well, the quotes are fairly harsh and direct… We have to respect privacy, human rights and the sovereignty of nations. We don’t want…
DetailsRemember my post back in November? If something is free – you are the product! – Now I read an article today, which completely proves this point. It is about Google being sued for scanning student emails. The really interesting thing is this quote: Of course it’s not news that Google reads the emails in…
DetailsIt is fairly well-known that “the Internet” knows a lot about us. However, there is a really good story on ZDNet, which shows how far you can go even with people who try their best to protect their identity. Before you read the article, there is one thing to mention: To my knowledge there are…
DetailsA teacher in the US reached a settlement with his former employer regarding an age discrimination suit. It was agreed that the $80k settlement should remain confidential. However, the teacher informed the court that they had to tell their daughter “something”. Which led the girl to post on Facebook (“only” to her 1200 “friends”): Mama…
DetailsIt is obvious: Less admin privileges reduces the risk of successful attacks. This is not really news, isn’t it? That this reduces the attack surface dramatically, well, not new either: Time to drop unnecessary admin privileges What I am really wondering: We are all talking about Bring Your Own Device scenarios, where it is to…
DetailsWeak and lost passwords are always a challenge in an online world. Different countries work now on a protocol to support different authentication methods in an online world to make passwords redundant. I think that this is a really good an interesting approach to keep an eye on: Password-free online authentication a step closer Roger…
DetailsThe White House released a framework for the critical infrastructure regarding Cybersecurity. The interesting part is, that it is not based on a certification approach but on risk management. Definitely the right mindset as it allows companies to move away from compliance management to risk management. I am absolutely convinced that managing compliance has its…
DetailsIn the recent years several attacks on different customer systems became public (from Sony, Adobe etc. etc.) and it is sometimes hard to keep up with the different lists, which are on the web to figure out, whether your address was part of it. I recently found a service offered by a guy called Troy…
DetailsSometimes when I talk to security people, I am astonished, how self-confident they are that they will not be victimized by fraud or identity theft. There is a very good chance that the barrier to get into my identities is higher than with others but not impossible. Let me tell you a story: I have…
DetailsHardly a day goes by without news in the NSA/Snowden affair. Bruce Schneier adds to the fuel by publishing an NSA Exploit of the Day. But while this affair drives news cycles, the ideas on how to address the problem of governments spying on each other and on citizens as such are not too numerous.…
DetailsA lot has been written about the incident at the US retailer “Target”. It is always interesting how easy such incidents happen – without really blaming Target in this case. It seems that a virus infected their payment terminals and read the magnetic stripe of the Credit Card including the name of the owner –…
DetailsThis is a really cool comic explaining security – just enjoy here.
Roger
