NSA Posts Mac OS X 10.3.x security guide
There's a blog entry pointing to a new NSA security guide, this one for Mac OS X.
I'm definately in favour of these guides, as it's nice to get a source of non-vendor security advice (I always feel that their more likely to point out any potential product issues than the vendor themselves)
MercuryNews.com | 11/02/2004 | Stolen computers have Wells Fargo customer data
There's what I think is an interesting point in this article about the loss of customer data from Wells Fargo. The loss didn't occur from Wells Fargo systems, it occured from those of a partner company.
What I find interesting, is that I wonder how many companies can honestly say that they ensure the security of data which they "own" (for want of a better term) no matter where it may reside.
Especially in these days of outsourcing.... It's all very well for companies to spend a lot of money securing their data centres and other obvious places where data lies, but it's really quite pointless if that data (or the credential used to access it ) is not as secure when it's processed or stored outside of those data centres.....
SecurityFocus HOME Infocus: SSH User Identities
A useful guide on setting up and using public/private key encryption in conjunction with SSH
Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
handy information from Microsoft covering some of the potential issues of hardening Windows boxes.
Sun BluePrints OnLine - Archives By Subject
very useful links with a large amount of white papers from sun covering security amongst other areas.
There's an article over at InfoWorld looking at the various measures that companies have been using to try and mitigate the current rising trend in phishing attacks.
My money's on server-based mitigations as opposed to client-based ones (like the anti-phishing toolbars mentioned in the article). There are several good reasons for this.
1. Companies don't and won't control the client environment, so they're not in a good position to dictate the client environment. Also given the current trend in spyware and virii, there's no way companies can place trust in a client based solution.
2. There are literally millions of clients out there which would need to be "fixed" to make a solution work, but for each company there is only one location that needs fixed...
Personally my monies on the deployment of 2-factor authentication like secureID. Most banks already use it internally, the main reason it hasn't been deployed for customers is cost... well if phishing starts placing a significant cost on the banks, then suddenly it starts being much more viable to deploy....
Of course there are some more complications involved as SecureID can still be vulnerable to a MITM attack, but it would still be a great step forward.....
Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework -- MSDN Magazine, November 2004
Interesting article on the code security features in .NET 2..
there've been a couple of sites pointing in the direction of what looks like an interesting security publiscation Security Journal
Theere's a very interesting post over at Dana Epp's ramblings at the Sanctuary : B.C Privacy Commissioner says the USA Patriot Act violates privacy laws
I think one very interesting thing which this action may stir up, is given the apparent dichotomy between US privacy laws and the EU Data Protection Directive, why hasn't more action been taken by the various european data protection commissioners to ensure that data relating to EU citizens is properly handled when in the US. Right now the guidelines (at least what I've seen of them) seem fairly vague and not really in keeping with the level of rigour that the rest of the act's provisions have...
Over at the Microsoft Security Guidance Center, there's an interesting looking list of Microsoft security documents for free download (unfortunately to get the PDF's you need to register and give some information that seems pretty unrelated to the documents like your address)
