[SecurityRatty] tag: lock

IronKey adds remote wipe feature for USB drives

Mon, 29 Sep 2008 20:00:00 +0000

A new service called Silver Bullet from encrypted thumb-drive vendor IronKey will let administrators wipe out or lock the data on USB sticks in the field.

Lock and download: Door security gets boost from Web

Wed, 24 Sep 2008 20:00:00 +0000

LochIsle, an Ottawa-based company that aspires to "change the locks of the future," has released iLoch, a Web-based access control program for...

The ID card honeypot

Wed, 24 Sep 2008 20:00:00 +0000

In 1671, a soldier dressed as a priest attempted to steal the Crown Jewels from the Tower of London. In 1963, masked men including Ronnie Biggs ambushed a train in bucolic Buckinghamshire to steal 120 mail bags containing used notes -- the scam became known as the Great Train Robbery. In 1983, 6800 gold bars went missing from a lock-up in Heathrow in what became known as the Brinks Mat robbery, and in the same year, the great racehorse Shergar went missing. In 2001, a police sting caught villains red-handed (as they say in tabloids) in an attempt to steal £200m ($370.8 million) worth of diamonds from the Millennium Dome.

Enhanced Domain Protection Services Emerge

Wed, 24 Sep 2008 04:23:16 +0000

Registrars are beginning to offer new services to protect against domain name loss. Are they worth it? Well, they're worth something, but maybe not all the money being charged. Yesterday, Domain Name Wire revealed that GoDaddy has filed for a patent for "Domain Name Hijack Protection." The basic idea of the service is that domain name transfer-out requests are automatically ignored. The customer gets a notice that the request was received and ignored. The user then has the option of turning off the service, and must supply photo ID in order to do it. Comments on the Domain Name Wire article say it's an intentionally cumbersome process, which certainly works out well for GoDaddy, but I'm not so sure I'd call this innovative. This application may be related to GoDaddy's Protected Registration service, which similarly protects against casual transfers, a service they call Deadbolt Transfer Protection. In order to perform a transfer, more thorough verification procedures are required, probably involving genuine human beings. GoDaddy also claims to protect the domain in case of billing problems, such as "credit card expiration, failed billing or outdated contact information." If your domain expires and cannot be renewed because the credit card expired or some other such reason the domain will be placed in "invalid, protected status" for up to one year. In other words, it will be taken off-line, but not made available for anyone else to register. If you've parked it you may not notice, but if you're using the domain you will, because it won't work anymore. At this point you can go back to GoDaddy and make things right. All this costs $24.99 a year, which is a lot of money compared to the base registration. You'd be much better off with a standard domain lock and just being responsible about your domains and reading the e-mail GoDaddy sends you. And thanks to DomainNameNews for reporting that Moniker, a registrar aimed at higher-volume domain name owners, has launched their DomainMaxLock service. DomainMaxLock, like GoDaddy's Deadbolt, makes you provide more stringent identification for transfers. According to the company you must:

Provide a government I.D. number for verification of your identity.
Set up custom security questions and answers, further safeguarding your domain assets.
Provide special verification instructions and artifacts to ensure that your unique business or ownership interests are protected.
When you request that your domains be unlocked, our security team works directly with you to verify all of the above off-line - further eliminating risks of doing business in an online world!

It's essentially an admission of the failure of automated services with respect to security. The idea is we can trust humans in person, not software. The service costs $34.95 per domain per year for a limited time, but the cost will increase later to $59.99. These verification services are similar in many ways to those performed by CAs (certificate authorities). Since GoDaddy is also one of those, it's likely they can get better utilization out of that staff by offering such services.

SQL Server 2008 - DBCC BYTES

Fri, 19 Sep 2008 12:24:22 +0000

I’ve just noticed that Microsoft had removed the DBCC BYTES command from DBCC. On 2005: DBCC TRACEON(2588) DBCC HELP (’?') GO activecursors addextendedproc addinstance auditevent autopilot buffer bytes cacheprofile cachestats callfulltext checkalloc checkcatalog checkconstraints checkdb checkfilegroup checkident checkprimaryfile checktable cleantable clearspacecaches collectstats concurrencyviolation cursorstats dbrecover dbreindex dbreindexall dbrepair debugbreak deleteinstance detachdb dropcleanbuffers dropextendedproc config dbinfo dbtable lock log page resource dumptrigger errorlog extentinfo fileheader fixallocation flush flushprocindb forceghostcleanup free freeproccache freesessioncache freesystemcache freeze_io help icecapquery incrementinstance ind indexdefrag inputbuffer invalidate_textptr invalidate_textptr_objid latch loginfo mapallocunit memobjlist memorymap memorystatus metadata movepage no_textptr opentran optimizer_whatif outputbuffer perfmon persiststackhash pintable proccache prtipage readpage renamecolumn ruleoff ruleon semetadata setcpuweight setinstance setioweight show_statistics showcontig showdbaffinity showfilestats showoffrules showonrules showtableaffinity showtext showweights shrinkdatabase shrinkfile sqlmgrstats sqlperf stackdump tec thaw_io traceoff traceon tracestatus unpintable updateusage useplan useroptions writepage cleanpage DBCC execution completed. If DBCC printed error messages, contact your system administrator. While running the same thing on 2008 does not contain DBCC BYTES. I wonder what’s the reason for this change (I’ve checked the binary and it does not contain [...]

Admins More Powerful Than Hackers

Tue, 16 Sep 2008 09:10:29 +0000

Do you trust your admins? We hope so.

The case of Terry Childs, the former San Francisco City Systems Administrator, is a good example of why you should be careful — Childs held the network hostage by withholding passwords and setting up a rogue access point. However in the court case, a supposedly expert witness testified that Childs posed no danger because the city could lock him out with simple steps.

Unfortunately, as Ira Winkler at RSA says, it’s not that simple –

…an administrator with a grudge can cause infinitely more damage than a “computer hacker” could ever dream of.

Given that Childs had his job for years, and purposefully kept a wide variety of critical network information from everyone else, it is impossible for them to lock him out of the network with “simple steps”. Of course soon after Tygar [the expert witness] filed his “expert” report, they discovered the rogue access point.

Read the full commentary here.

McAfee, Symantec ready VM security products

Fri, 12 Sep 2008 20:00:00 +0000

With VMware's user conference beginning next week in Las Vegas, security vendors Symantec and McAfee are readying new products designed to lock down the software running in virtual machine environments.

Simple Method Allows iPhone Passcode Lock To Be Bypassed

Thu, 28 Aug 2008 13:12:24 +0000

According to ZDNet, the feature which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information. Here are the steps to exploit this vulnerability (requires physical access to a passcode-protected device) to access the [...]

Locked iPhones can be unlocked without a password

Tue, 26 Aug 2008 20:00:00 +0000

Private information stored in Apple's iPhone and protected by a lock code can be accessed by anyone with just a few button presses.

Gallery: Images From the 16th Annual DefCon

Mon, 11 Aug 2008 14:30:00 +0000