Raesene's Ramblings

Schneier on Security: Melbourne Water-Supply Security Risk
Another interesing piece, on SCADA security, from Bruce Schneier's blog. It's a good example of unintended consequences. When SCADA systems were designed it looks like most weren't expected to ever be connected to a general corporate network (let alone the Internet) and as such rarely had the kind of security built in that you would expect from systems controlling critical infrastructure pieces.
There's some interesting commentary on this piece as well and some good links on SCADA security....

This story covers an an angle of the Regulatory compliance issue, where companies Compliance burdens are leading them to purchase additional IT Security systems...
I hope this story is only telling one piece of the story for these companies 'casue without decent policies and procedures, a whole load of new tools won't help you much in proving to regulators that you have a well controlled IT environment....

An Illustrated Guide to Cryptographic Hashes
Handy guide to hashing

Hidden fraud risk in Sarbanes-Oxley? | CNET News.com
Interesting perspective on SOx in this article, that the huge amounts of data being assembled for SOx compliance purposes will cause frauds to go unnoticed... I did notice that the quote came from a company whose business involves selling data analysis tools!

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis
Interesting to see new categories of attacks gaining in popularity, as highlighted in this handlers' diary entry.
Adding malicious content to hosted websites is a handy way for malware authors to ensure that their code will be executed, rather than relying on e-mails with links which (hopefully) are a less useful vector (Surely by now a decent percentage of Internet users don't go around clicking links sent in e-mail....)
Also another good example (as if anyone needed more) of why patching is critical to protecting PC's at the moment.

Financial Cryptography: Cryptographers have a Responsibility to Explain Results
An interesting post over at financial crpytography looks at the practical implications of a recent paper on collisions in MD5 and possible effects on the security of certificates.
I'd agree that the paper has been taken out of context in a lot of stories, but then that seems to happen a lot when the journalists covering something aren't maybe experts in that field, also I suppose there must be a temptation for the researchers to talk up their findings...

well the blog's been offline for about 2 months, not really to plan....
Caused by a series of hardware failures in the old server, 1st the motherboard/processor and then the system disk, 2 days later!
Combined with a 3 week holiday in India, left me sans server for quite a while...
But I'm back up and running now better than ever, the servers gone from a PII-450 to a Athlon64 2800+ which should make things a bit nippier.....

Martin McKeay's Network Security Blog: Is your webcam one of these?
From the post on Martin McKeay's blog, looks like I'm not the only one worried about where people are putting network webcams...
There's more info for a wide variery of cams Here and Here ...

there's some more comment on the ongoing Chip & PIN implementation in the UK at Schneier on Security and Financial Cryptography , with some interesting points being made about how this move co-incides with one to shift the liability for fraudulent transactions from banks to retailers where the terminals haven't been upgraded.
Interesting to note that I've recently received a credit card with an expiry in 2006 which doesn't have a chip on it... I wonder if retailers will start refusing to accept cards without chip&PIN in order to avoid liability.

There's an interesting post over at <a title="The Quiet Earth